Mystery database breach – Could you be one of the 80 million exposed?
Here’s a data breach mystery. It isn’t often that we see a major breach and yet not know for sure who has been affected. Yet that is exactly what we have here, in a story that’s been trending this week, when researchers discovered a 24GB database on an unsecured Microsoft Azure cloud server. Although the database itself belongs to Microsoft, the data on over 80 million US households stored within is still of uncertain ownership. According to Noam Rotem and Ran Locar, security researchers at vpnMentor, the type of data hosted is unprecedented. Writing in a blog post: “we believe that it is the first time a breach of this size has included peoples’ names, addresses, and income.” Grouped together with information on gender, homeowner and marital status, the data paints an extremely thorough picture for anyone who has it.
The mystery of ownership lingers, however. Usually, the researchers say, upon discovery of a security issue like this they would notify the owner so they could take action. But who to contact? There are some clues. It has been suggested the database is for a service of some kind, since every person is over 40, and every entry contains “member_code” and “score.” Rotem and Locar believe it could belong to an insurance, healthcare, or mortgage company. They have asked the public for help in identifying the owner of the database.
Another wrinkle comes from what the data set lacks. If it belonged to a bank, you would expect to see Social Security numbers, account numbers and payment information. None of which appear in this case. Even so, there is plenty of material to work with for identity thieves and other fraudsters, should they get a hold of such a resource. Since home addresses are included, it also opens up the possibility of break-ins, bridging the divide between the digital and physical.
Keep in mind, the figure we’re talking here is not 80 million people, but households. Not only is that well over half of all US households (out of around 127 million), it means hundreds of millions of individuals could be at risk.
We can only hope that Microsoft, who should know the unknown owner, has notified them. Securing the data may not be their responsibility as host, but their obligation here does extend to their customer, one which has already failed in their obligation to their own.