100 million Americans just had their personal information leaked in the massive MC2 Data breach
A security lapse at background check firm MC2 Data is a goldmine for cyber criminals, researchers warned
Nearly one-third of the US population may have had their personal data exposed following a leak at background check firm MC2 Data.
To carry out its checks, MC2 Data compiles data from a range of sources, including criminal records, employment history, family data, and contact details. This data is used to create profiles of individuals that are then sold to employers and landlords.
The company operates several websites, including PrivateRecords.net, PrivateReports, PeopleSearcher, ThePeopleSearchers, and PeopleSearchUSA.
According to Cybernews, which uncovered the breach, the exposed data is believed to include names, birthdates, email addresses, phone numbers, passwords, IP addresses, property records, and more.
Data on some clients seeking background checks was also exposed.
The leak is believed to have been caused by human error, with the 2.2TB of data left without a password and easily accessible to anyone on the internet.
MC2 Data is yet to issue a statement confirming the breach.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
MC2 Data breach could have wide-reaching impact
Thomas Richards, associate principal consultant at the Synopsys Software Integrity Group, said the scale of the breach opens up impacted individuals to a variety of future risks.
“Anyone affected by this breach needs to reset their password immediately on any site where it had been used before," Richards said.
"MC2 customers need to be extra careful of any sudden and urgent requests to take unusual action, as they could be phishing attempts. The attackers have a lot of information that can be used to create attacks that will appear valid, which the customers need to be extra cautious about."
With background check companies holding highly sensitive information, it's no surprise that they might be attractive targets for hackers.
Late last year, threat actors stole around 2.9 billion records containing personal data from background checking firm National Public Data.
The data, which included name, email address, phone number, social security number, and mailing addresses was released in April and August this year.
The records of nearly three billion people are believed to have been accessed. A lawsuit against National Public Data is currently underway, alleging that the company was negligent.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.