Unknown US security breach exposes data of 80 million households

Twenty-four gigabyte database includes full names, marital status, age and incomes

The personal information of 80 million US households, including full names, marital status, age and an indicator of incomes, among other data, has been exposed in a security breach.

However, the owner of the database - which was taken down today - remains unknown.

The breach was discovered by ‘hacktivists' Noam Rotem and Ran Locar and highlighted by specialists at vpnMentor. They claim it is part of a 24GB trove of information that had been stored on an unprotected Microsoft Azure cloud server.

The database also includes the households' exact location in latitude and longitude, and "member_code" and "score" fields indicating that it comes from an online service of some description.

Unlike previous leaks we've discovered, this time, we have no idea who this database belongs to

"This isn't the first time a huge database has been breached. However, we believe that it is the first time a breach of this size has included peoples' names, addresses, and income. This open database is a goldmine for identity thieves and other attackers," warned the company in a blog posting.

Indeed, the income and age information, in particular, will help potential attackers to target vulnerable individuals, especially wealthy elderly people.

Furthermore, the postal addresses, backed up by precise location information, along with age, will enable identity thieves to convincingly pass themselves off as their targets. The data provided also makes it trivial to uncover data often used for additional authentication, such as mother's maiden name and places of birth.

This open database is a goldmine for identity thieves and other attackers

VpnMentor claimed that it uncovered the trove as part of a web-mapping project that it is currently undertaking, using port scanning to examine known IP blocks. "This reveals open holes in web systems, which they then examine for weaknesses and data leaks," it claims.

Normally, the ultimate owner of potential unsecured information can be identified and they - and the people affected - can be notified accordingly.

"Unlike previous leaks we've discovered, this time, we have no idea who this database belongs to. It's hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner.

"The data includes uniform entries for more than 80 million households, making it almost impossible to narrow down. The only clue we found lay in people's ages: despite searching thousands of entries, we could not find anyone listed under the age of 40."

Cyber criminals will leverage this data globally for building synthetic identities or taking over identities to buy goods and services

While a precise amount for household income isn't provided, a value is given that could no doubt be easily cracked.

"This made us suspect that the database is owned by an insurance, healthcare, or mortgage company. However, information one may expect to find in a database owned by brokers or banks is missing. For example, there are no policy or account numbers, social security numbers, or payment types."

Following publicity surrounding the security breach, Microsoft unilaterally took the database offline, informing the account holder of the breach, although not disclosing their identity.

In a statement, the company said: "We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured."

Until we understand who the owner is, we're limited to generalisations about exposure

Tim Erlin, a vice president at Tripwire, warned that until the source of the data is known it is hard to know the true level of exposure. "Unfortunately, this type of breach is no longer unusual, but it is unusual to not know who owns the exposed data," he said.

"Until we understand who the owner is, we're limited to generalisations about exposure. It's clear, after so many incidents, that organisations do not have control over access to their data stored in the cloud.

"It's not for a lack of tools, but a lack of understanding and implementation of the available tools. If you are storing data in the cloud, you can and should be able to audit the access permissions for that data on a continuous basis."

Ryan Wilk, vice president of Mastercard-owned NuData, hinted that it would almost lend weight to GDPR-like regulations over data in the US.

"Cyber criminals will leverage this data globally for building synthetic identities or taking over identities to buy goods and services," said Wilk.

He continued: "The mishandling of data through online databases or via a third party is no longer a valid excuse in the eyes of the public.

"Many companies are already taking a proactive stance to secure all data and make security part of their core business practice. As demonstrated in the EU with GDPR, companies will have an important role in best practices when securing data that they are the custodian of, not the owner."

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.