At a glance.
- Broker exposes unprotected scraped data.
- Report: private investigators get California Department of Motor Vehicles data.
- Updates on CRA data breach.
- Blackbaud breach claims more victims.
Social Data left scraped data exposed and unprotected.
Comparitech reports finding a database of almost 235 million social media profiles exposed to the Internet. The database, which belongs to Social Data, a data broker, appear to have been scraped from publicly accessible social media pages appearing on Youtube (3,955,892), TikTok (42,129,799 records), and Instagram (two sets of records, 95,678,713 and 95,678,713). Each record, Comparitech said, includes includes "some or all of the following info": profile name, full real name, profile photo, account description, "whether the profile belongs to a business or has advertisements," last post timestamp, age, gender, and follower engagement (including number of followers; engagement rates; growth rate; audience age, gender, and location; and likes). Social Data took down the servers hosting the data within three hours of notification. The company, which is based in Hong Kong and sells online marketing analysis, stressed to Comparitech that all the data it held were readily available on the Internet to anyone interested in viewing them, which might give social media users pause about their own self-induced exposure.
The California DMV recoups costs for delivering data to commercial enterprises.
Motherboard has obtained, through public records requests, internal documents from the California Department of Motor Vehicles that describe what Motherboard characterizes as the DMV's practice of selling driver and vehicle data to various buyers. The DMV said that it's in compliance with applicable state and federal laws. The DMV explained that it's "statutorily required to provide certain driver- and vehicle-related information and is permitted to recover its costs for doing so." To emphasize, lest one might think "sell" and "recover costs" amounted in this case almost to a distinction without a difference, the Department repeated to Motherboard, "the DMV does not sell information, but recovers the cost of providing information as allowed by law." Presumably one of those laws is the California Consumer Privacy Act.
Most of the data are provided under the "Employer Pull Notice" program, which DMV explained to Motherboard entails mailing "a driving record when an employee is enrolled and when a conviction, accident, license suspension or revocation, or any other action taken against the employee’s driving privilege is added to the employee’s driving record." A spreadsheet of commercial enterprises requesting DMV data ran to 97,745 businesses, from 007 Trans LLC to ZZZ Express, Inc. The bail bondsmen and private eyes got most of the attention in the story, but a great many of the companies on the list appear to be the sort of outfits that would be hiring drivers, and it's not difficult to imagine any number of legitimate and non-sinister reasons for such requests, but some legislators are said to be displeased by the scope of the program. (And the private eye connection raises eyebrows.)
Data breaches: fog sees silver lining.
Two Canadian government data breaches, one of the Canada Revenue Agency, the other of the GCKey service, are believed to have affected some eleven-thousand individuals. ITWorld Canada reports that Canada's acting federal chief information officer, Marc Brouillard, said that the incidents actually represent a security success, since the government was able to detect and "largely mitigate" the attacks. He also pointed out that 11,000 out of 12,000,000 is a pretty small fraction of the accounts that could have been affected. (Not, he added, that he intended to minimize the effect on those whose data were exposed.)
Another, unrelated incident at a Canadian government institution, the Royal Military College of Canada, which was hit by DoppelPaymer ransomware in July, has resulted in public exposure of student personal, academic, and financial information. Global News reports that data stolen by the DoppelPaymer operators have begun to appear in online dumps.
Nor-for-profits continue to warn donors of risks stemming from the Blackbaud hack.
Dotmed sees a general problem for hospitals. In England, Birmingham Live reports that a petting zoo, the Sutton Park Donkey Sanctuary, has also warned parents that their children's data (names, addresses and contact details) are at risk.