A data leak at data validation company Verifications.io is three times larger than originally reported, comprising two billion leaked records not 809 million, according to cyber-security company Dynarisk.
Talking to SC Media UK earlier this evening Andrew Martin, CEO & founder of DynaRisk explained that his organisation had been analysing the records for the past few weeks and discovered that the compromised server, based in Miami, had four databases exposed, not one. DynaRisk has analysed the other three to find that a total of 2,069,145,043 total records from all over the world have been leaked.
The breach totals approximately 196 gigabytes worth of data not 150 gigabytes and in just one of these databases, 808,539,849 records were exposed, which Dynarisk breaks down as:
Email records = 798,171,891 records
Email With Phone = 4,150,600 records
Business Leads = 6,217,358 records
The records were not encrypted, but stored in plain text, and it appears the data from multiple clients had been pooled. The way to verify such marketing data is often to send out an email, but the data owner - Verification/io’s clients - may not want to be seen and blocked as a spammering, hence outsourcing the task.
Redacted example of UK records for staff at Barclays
The earlier report from Wired magazine explained that the data included not only standard information like names, email addresses, phone numbers, and physical addresses, but also: "...things like gender, date of birth, personal mortgage amount, interest rate, Facebook, LinkedIn, and Instagram accounts associated with email addresses, and characterisations of people's credit scores …. other records in the collection seem related to generating sales leads at businesses, including company names, annual revenue figures, fax numbers, company websites, and industry identifiers for categorising companies called "SIC" and "NAIC" codes."
Martin adds that his company has seen the following data attributes: "Name, Address, Phone Number, Email Address, Date of Birth, Gender, IP Address, Employer, Job Title, Company Website and other identifiers such as "Licence Number", MID, SIC and others which we are not sure what they are for. Not all records have these attributes, some are full, some are partially populated, others only contain an email address and nothing else."
The email_lower_sha256 element in the sample above is not a person’s password, it is most likely used for the company’s internal processes.
He also revealled that data included collation of publicly available emails used by SC Magazine.
There is no evidence yet that the data has been used for criminal purposes, and it was held by a legitimate company, legally entitled to have the data, plus the company says it is GDPR compliant. However, Martin notes that the data has been exposed for weeks, saying: "it wasn’t secure so its not GDPR compliant, this wasn’t an APT, it didn’t keep the data safe. It was on a database on the internet open for anyone - and if we accessed it, it will have been seen by at least 100 others poking around at the data."
While it is a leak, rather than a hack, the data could well have been downloaded for future criminal use for phishing emails and scams, telephone push payment fraud scams or CEO fraud. Matin explained how it would likely take a while to play out. "If the data has been acquired (by criminals), now that the server has been rendered inaccessible, they would still have proprietary breached data, which they could sell on hacker forums in couple of months to bad guys using it for phishing etc. Just because it’s breached, it might not reach a wide pool of criminals."
So who is held liable and will the data subjects be told? "Who gets sued? Because of way company works, probably no-one," suggests Martin, noting, "Verifications.io takes marketing lists from several companies, and those corporates will have terms and conditions that will push liability onto this company, to be in breach of its contract. So if a client were a bank and it was sued, it will in turn sue this company. Compared to the banks, it’s a smallish company, and if all of the clients sued, it would end up in bankruptcy. They would probably terminate their contracts due to breach anyway."
He adds that while the clients would have been given permissions to share data with a third party, the clients wouldn’t have realised it would end up in gigantic two billion record database. Verfications.io says it gets its data publically, which presumably means scraping websites etc for data posted publicly which then gets taken by a script - again, probably not illegal, though Martin says, "It begs the question, should corporates be more transparent about where they are getting their data?"
Any regulatory fines will likely be impacted by what is done with the data, and although it is not medical or payment data, the sheer number of records suggest that this breach will trip the threshold requiring reporting to the data protection regulator who would work out if it was necessary to notify data subjects that their data has been breached.