Over 100 million Americans have their sensitive personal information exposed in a massive data leak affecting the background check services company MC2 Data.
The company operates numerous screening websites including PrivateRecords.net, PrivateReports, PeopleSearcher, ThePeopleSearchers, and PeopleSearchUSA.
Cybernews researchers found that the exposure stemmed from an unsecured database left without a password, allowing anybody with a web browser and an Internet connection to access 2.2 terabytes of personal information.
Nearly a third of all Americans impacted by MC2 data leak
Details leaked included the victims’ names, email addresses, IP addresses, user agents, encrypted passwords, partial payment information, home addresses, dates of birth, phone numbers, and property and legal records.
The background check data leak also exposed information regarding the victims’ family members, relatives, neighbors, and employment history. The database contained 106,316,633 records from at least 100 million unique individuals.
“What was likely to be a human error exposed 106,316,633 records containing private information about US citizens,” wrote Cybernews.
Additionally, it exposed the information of 2,319,873 subscribers, including organizations that required background check services. The researchers warned that some impacted subscribers “could be high-value targets for cybercriminals.”
As for how long the database remained unsecured and whether any threat actors accessed the sensitive information, remain unknown.
However, Cybernews notes that the data leak was fixed at the time of publication, although MC2 Data has as yet not responded to requests for a comment.
While MC2 Data took immediate steps to fix the security loophole, Javvad Malik, a Lead Security Awareness Advocate at KnowBe4, notes that an organizational culture that prioritizes cybersecurity was paramount: “It’s not just a matter of patching a hole; it’s about an overarching culture of cybersecurity that needs to be fostered at all levels of an organization, especially when it holds the keys to such critical personal data.”
Serious privacy concerns
Background check companies aggregate data from various sources including public records, court cases, employment history, and family data. Subsequently, the data leak exposed extensive personal information that could irreparably affect the impacted individuals.
The completeness and accuracy of the background check data make it invaluable for landlords, employers, and even romantic partners. Cybercriminals could also exploit the leaked information for cyber attacks, including identity theft and social engineering and phishing attacks.
“Scammers can leverage this data to create synthetic identities, open fraudulent accounts, establish credit histories and accrue debt, often without the victim’s knowledge,” warned Bala Kumar, CPTO at Jumio.
Nonetheless, this would be hardly the first time cybercriminals exploit background check services, according to Cybernews security researcher Aras Nazarovas.
“Background-checking services have always been problematic, as cybercriminals would often be able to purchase their services to gather data on their victims,” noted Nazarovas.
However, the security researcher notes that, although background check companies have often tried to prevent malicious actors from exploiting their screening platforms, “they haven’t been able to stop such use of their services completely.”
Nevertheless, the data leak puts cybercriminals a step ahead, by effortlessly granting them access to invaluable personal information at no cost or risk.
“Such a leak is a goldmine for cybercriminals as it eases access and reduces [the] risk for them, allowing them to misuse these detailed reports more effectively,” said Nazarovas.
According to Kumar, the MC2 Data leak “underscores a critical vulnerability in how we protect and verify identity data.”
“It’s crucial to recognize that the exposed information was not encrypted, making it easier for bad actors to misuse it,” noted Kumar.
While legal, background screening platforms operate under strict federal and state guidelines, that emphasize individual privacy and data security. Thus, the data leak raises serious privacy concerns which could cost the company dearly.
Subsequently, MC2 Data stares squarely at a potentially crippling class action lawsuit for seemingly failing to protect the sensitive information of its customers and the general public.
