Unidentified Database Exposes Information of 80 Million U.S. Households

An unidentified database laid bare the information of 80 million U.S. households, including full addresses complete with longitude and latitude, according to a vpnMentor research team that discovered the exposure.

Per the vpnMentor report, known hacktivists Noam Rotem and Ran Locar discovered an unprotected database affecting up to 65% of U.S. households. Hosted by a Microsoft cloud server, the 24 GB database included the number of people living in each household with their full names, marital status, income bracket, age, and more. The team was unable to identify the owner of the database at the time.

Subsequently, vpnMentor, released an update: “Following the publication of our report, Microsoft took its server offline. In a statement, they said, ‘We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured.’ Microsoft has not revealed who owns the database.”

The database seems to itemize households rather than individuals. It includes: complete addresses, including street locations, cities, counties, states, zip codes, and exact longitude and latitude; full names, including first, last, and middle initial; and birth date.

Some information given an internally-assigned numerical value included: title, gender, marital status, income, homeowner status, and dwelling type.

vpnMentor did note they did not find information one may expect to find in a database owned by brokers or financial institutions. For example, there are no policy or account numbers, social security numbers, or payment types.

“This isn’t the first time a huge database has been breached. However, we believe that it is the first time a breach of this size has included peoples’ names, addresses, and income,” vpnMentor reported.

vpnMentor said its research team discovered the data leak while undertaking a large web mapping project. They used port scanning to examine known IP blocks. This revealed open holes in web systems, which they then examined for weaknesses and data leaks.

Although they investigated the database online, they said they did not download it. “Our researchers felt that downloading it would be an ethical breach, as they would then illegally own personally identifiable data sets without peoples’ consent,” the vpnMentor report said.

“Unfortunately, this type of breach is no longer unusual, but it is unusual to not know who owns the exposed data,” Tim Erlin, vice president, product management and strategy, at Portland, Ore.-based Tripwire, pointed out. Erlin added it is clear, after so many incidents, that organizations do not have control over access to their data stored in the cloud. “It’s not for a lack of tools, but a lack of understanding and implementation of the available tools. If you are storing data in the cloud, you can and should be able to audit the access permissions for that data on a continuous basis.”

Dan Tuchler, chief marketing officer of Santa Margarita, Calif.-based SecurityFirst, also pointed out most states protect consumers against this type of careless breach, “There should be a national law.” Tuchler added, “Enterprises need to properly encrypt data in the cloud, including encrypting it from its point of creation or collection. They also need to protect data with access policy so that only authorized entities can retrieve it, and report on any unauthorized access so that the data can remain secured.”

This is not a goldmine for identity thieves, or even of significant note. It does not contain any payment card information, no social security numbers, no passwords, not even any email addresses John Gunn, chief marketing officer of Chicago-based OneSpan, suggested. “It would have very limited value on the dark web. This is the type of information that countless marketers have been tracking and using for decades and is readily available. Yes, it could help hackers, but there are many other avenues to this type of information and no one should be worried about this, beyond concern for the generally poor security practices of the owner and whatever else they may not be protecting.”