A large database containing sensitive information collected by a data broker was left in a publicly accessible cloud container without basic protections, a security researcher has revealed.
Jeremiah Fowler recently discovered a non-password protected database that held more than 600,000 records belonging to SL Data Services (Propertyrec).
SL Data Services is a background check company that offers a range of information services from real estate data and also offers criminal records search information.
The database Fowler found was a 713.1GB Amazon S3 bucket, which, in addition to not having password protections, left the data unencrypted. Theoretically, anyone could’ve read the files, many of which contained sensitive information.
The files contained thousands of individuals’ vehicle records, including license plate and vehicle identification numbers (VIN), as well as property ownership documents, criminal records, and previous background checks.
Fowler reported that 95% of the documents he analyzed were labeled as background checks.
These background checks listed the individuals’ full names, addresses, email addresses, phone numbers, employment history, social media accounts, and details on their family members.
Fowler said he contacted SL Data Services, seeking to clarify whether the database was managed by the firm or a third-party contractor, but did not receive a response.
He noted that during the period between discovering the exposed cloud container and the time the records were secured, the number of documents in the database had grown by 150,000 files.
Furthermore, Fowler could not confirm for how long the database was exposed or if anyone else had gained access to it.
ITPro has contacted SL Data Services for clarification on the incident but has not received a response.
String of breaches raise questions of data brokers’ security posture
This incident occurred just months after another background check service operated by National Public Data (NPD) confirmed it was breached, compromising sensitive information belonging to 270 people.
The breach saw a 277.1GB database containing 2.9 billion records exfiltrated from NPD and listed for sale on the underground hacking forum Breached for $3.5 million.
The financial and legal fallout from the attack proved fatal for NPD, which filed for bankruptcy in October 2024, citing insurmountable legal costs, reputational damage, and costly obligations to provide affected parties with credit monitoring services.
More recently, another data broker DemandScience (Pure Incubation), which describes itself as an AI-powered B2B demand generation firm, said a compromised third party may have exposed millions of records it had stored on individuals.
The company told ITPro that over 100 million records may have been stolen from a third-party after a threat actor listed the company on BreachForums claiming to have stolen one of its databases.
In his report on SL Data Services, Fowler gave a number of recommendations to background check firms, who appear to be a popular and potentially easy target for cyber criminals.
Organizations should use unique identifiers that are both random and hashed instead of customer names or PII as filenames when organizing their databases.
“Companies should also avoid using predictable patterns in file names; for example, in this database, the files were named using the following format: ‘First_Middle_Last_State.PDF’”, Fowler advised.
Additionally, companies who collect and store potentially sensitive data should monitor access logs. This can help identify any unusual patterns, such as instances of mass viewing or downloading of files from the organization’s cloud storage database or internal network.
