Two Billion Users Exposed In 2nd Largest Data Breach In History

Businesses who use data collection firms should take notice. A recent data breach not only delivered the PII (Personally Identifiable Information) of two billion users, the reality is that it could have been avoided. In February of this year, researchers found what they are calling the second-largest data breach to date. A server for data validation company called Verifications.io unknowingly leaked massive amounts of data effecting 2 billion people. The information included verified PII like phone numbers, date of birth, addresses, credit scores, and Facebook, Instagram, and LinkedIn account details. That’s a ton of data now out in cyberspace, and it hands hackers the ammunition to do what they do best, deliver targeted and believable phishing emails. The more information about you in an email, the more believable it is. This is what is known as the weaponization of data.

The Yahoo! data breach exposing the PII of 3 billion users is

considered the largest data breach in history. Until now, the second largest data breach was AdultFriendFinder, releasing the PII of more than 412 million account holders. Security researchers found the unsecured Verifications.io server had no password protection and held 150GB of PII on the public-facing email database. Anyone with an internet connection could access the data, and it’s unknown who and how many people actually did. Leaving data exposed to the public without so much as requiring a password for access to it is unconscionable to most users, and the public has the right to be upset their PII was so carelessly held.

Although the Verifications.io data breach is now the second largest in history, researchers point out that it’s the largest data breach coming from one single source. The problem is Verifications.io was never properly vetted by companies using their service. As a result, apparently no one knew if the data was safely held and secured from public access. Organizations using third-party vendors like Verifications.io to keep data safe must thoroughly vet the vendors they use, long before they enter into contract.

Data collection is a huge business and it’s often used for marketing and advertising to current and prospective customers. The responsibility for keeping that data safe should be with the vendors who collect it, but as this data breach shows, they can’t always be trusted. This data breach should be a wake-up call for IT departments and those at the top–that keeping consumer data safe is ultimately their responsibility. As this breach illustrates, those vendors who actually hold the data may be doing a terrible job of it, and they need to be thoroughly vetted before handing them consumer PII. The continued success of a company may well depend on it, because the public–who puts their faith in those in charge–is rightly counting on them to keep their PII safe.

Stickley on Security
Published June 25, 2019