CYBER CORNER

As reported by multiple news outlets, a consumer data broker who recently leaked the personal information of a large swath of the American public online has also inadvertently published passwords allowing hackers to access its database.

The saga began in December of 2023, when the broker experienced a security incident. Four months later a cybercriminal began selling data which had been taken from the broker.  It took yet another four months (and an apparent second data breach against the broker’s sister company) for the data broker to acknowledge that it had been compromised. The sister company’s website temporarily gave visitors access to an archive which included source code as well as usernames and passwords in plain text.  All users had initially been assigned the same password with instructions for the users to personalize it, though many had failed to do so.

The founder of the company has responded to media inquiries about these incidents by stating that the archive file had been removed and that the website would be ceasing operations.  Further analysis of the source code reveals that the website was developed by a firm in Pakistan, which could not be reached for comment.

ACTION ITEMS: Consumers are encouraged to freeze their credit reports to prevent accounts from being opened in their name.  Businesses would be wise to avoid sharing customer information with data brokers whose reputation is not firmly established.  Additionally, companies should ensure that their utilization of data brokers is consistent with the company’s stated privacy policy to customers with respect to how their personal data is shared with third parties.