Get the top HN stories in your inbox every day.
gehwartzen
rolandog
And tied to inflation (or to a % of gross income), too, otherwise it'll be cheaper in X years to get fined than to hire information security officers
overfeed
> We need a law mandating the company pays at least $1k per exposed record per customer or absolutely nothing will change.
That won't change a single thing, except for shell-company shenanigans, more frequent bankruptcy proceedings, and the same people coming back trading under a new name and logo. A law sending people to prison may actually change things.
troad
"Oh you want to make a little start up to share recipes between friends or whatever? Aww, that's cute. Well, here's the OAuth spec and an incomplete list of footguns. I hope your grasp of elliptic curves is strong. Prison time if you fail."
The absolutely only consequence of laws that criminalise mistakes in handling of PII is to force everyone to externalise auth to the likes of Auth0. And you can bet your ass that if this ever happens, the likes of Auth0 will lobby like hell to never ever repeal or update those laws, being a vast corrupt funnel of business to them.
Congrats, you've created a new Inuit.
JeremyStinson
All those people have high-priced lawyers that will keep them out of prison. The DBA and the Data Engineer will be the ones who go to jail for "Not ensuring all applicable data security controls were configured, and enabled, to prevent the detection, collection, and modification of any and all data assets within the purview of Company X, all its holdings and subsidiaries."
lucyjojo
force nationalization of the business for egregious cases.
muyuu
the main reason for this recent change is that before they used to just not report it, it makes no financial sense to them and they only do it because of recent legislation and liability
it's the only decent development from those data protection laws that usually do anything but protect data, but credit where it's due
cataflam
Almost a month old, original source: https://cybernews.com/security/global-data-leak-exposes-bill...
and I've never seen any confirmation elsewhere
Looks like CyberNews have edited the article with more info since first I saw it, it used to look quite suspicious and untrustworthy, it now has more info. Still doesn't say exactly what a record is, or how many uniques there are.
frereubu
I presume the database exists, but some of the details don't add up. IDMerit say "IDMERIT’s systems and security infrastructure have never been compromised", "there has never been a data breach or exfiltration from [our partners'] systems during, before, or after this event" and "IDMerit does not own, control or store customer data". But Cybernews says that they "promptly secured the database" after being notified. Cybernews also didn't give the reason why they thought this was to do with IDMerit (unless I missed it). I can't quite make head nor tail of it.
tootie
It's a weird article. For one, the researcher says "they believe" the data belongs to IDMerit but apparently aren't sure. IDMerit denies it's the owner of the data nor is it any of their partners. And there's very few details about where or how they found this database. It's possibly some kind of hoax or ransom attempt? Or there's really just billions of unaccounted databases of private data just sitting all over the Internet.
uean
The cybernews article does have some screenshots showing names like “idmb2c” … also that IDMerit was contacted in November and the ports were closed a day later.
0xbadcafebee
To sum up the updates in the article
- IDMerit asked the security researcher for proof, the researcher asked for money first, so IDMerit balked
- IDMerit basically says they have no proof they were hacked, so they weren't
- The researcher is a freelancer... for CyberNews...
...also, this is yet another example of why we need a regulated Software Building Code, with penalties for not conforming to it. If somebody is found to be hosting a public Mongo instance with no authentication, it should be reported to a state or federal agency, so that real penalties can be applied, the way they are for other code violations. And they shouldn't have been allowed to launch with that in the first place. It shouldn't be up to random "security researchers" to police businesses.
neya
If I was in Vegas, I would bet my life savings that the CXOs of the said ID Verification company's data isn't included in the leak. This is just like that Mc Donald's CEO's video - they never use what they create.
submerge
I bet their data is included too, for two reasons:
First, identity verification data for KYC is a little bit different from fast food or social media in that it's very difficult to live a normal life without being subject to any KYC checks. (I'm sure someone will chime in that they get paid in bitcoin and buy their groceries with cash.) If you are applying for some financial product or service that requires KYC, and they can't find any information about you, you will often either be denied that product or have to jump through a bunch of additional hoops to prove who you are. So it benefits CXOs to have their data included in these datasets, in fact if they are well paid they may well have more activity requiring KYC checks than the average person.
Second, and much more simply, one's own data often makes for a good test case since you know its accuracy.
neya
I am not debating that they don't need KYC, I'm simply saying they probably use a more secure alternative than their own.
whatsupdog
Where the F does IDMerit even get all this data from? They have names, DOBs, addressed, phone numbers, national identity numbers for over a billion people? How?
wongarsu
The 1B number would contain multiple records per person.
For example if I (as a German in Germany, ymmv) open a bank account online that involves a call with one of these companies where they take pictures and information from my passport and check that that's me. Then I choose payment in installments on some online shop, same game. Apply for a small loan? Same game. Set up an account for trading (stock exchange or crypto)? You guessed it, another call. Another payment in installments, backed by the same bank? Apparently verifying my identity again is easier than checking their database. Each of those is another record. Potentially with a new identity document, address or even name (maybe you got married) but mostly just the same data confirmed again with another timestamp
Not all of them use the same identity verification service, but there aren't that many. And I wouldn't be surprised to learn that many are the same company under different brands
shakna
A record is not necessarily unique. Name changes, address changes, phone number changes, can all create "new" records in dumps like these.
uean
Makes sense if the ID verification process involves scanning a driver license or passport.
Edit- rereading this, you’re obviously talking about scale. The original article is much better : https://cybernews.com/security/global-data-leak-exposes-bill...
gregbot
This made me absolutely livid:
> We requested a security incident report from the ethical hackers as proof
So instead of paying him a fair bug bounty, they demand that he write a formal report for them and prove to them that there is even a problem.
Totally unhinged, but it gets worse:
> the response was a demand for money for the report, which confirmed our suspicion that this was a ransom-related incident.
Wow. So when the security researcher informs them that he would be happy to do some consulting work for them and informs them of his rates, they flip out and accuse his initial good samaritan decision to inform the company of the issue of being part of a plot by him to hold the company for ransom?
Whoever thought this is both totally delusional and a complete jerk. Truly, no good deed goes unpunished.
chikinpotpi
Nobody told their marketing department:
https://www.idmerit.com/blog/idmerits-data-breach-fail-safe-...
archived for posterity: https://archive.ph/MdSfO
jajuuka
Unprotected MongoDB, tables without password, data in plain text. It's a textbook example of doing absolutely everything wrong.
undefined
danlitt
> We own and operate our proprietary platform, but we do not own, control or store customer data or the underlying data maintained by independent data sources.
This seems like a critical sentence. Is this database actually operated by IDMerit, or someone else? If so, who?
ericwebb
Remember when you'd get a letter in the mail, "you identity has been compromised, here is a subscription to an identity monitoring service."
The system is broken. We shouldn't be so vulnerable because of foundational infrastructure.
pirate787
While this leak may or may not have happened, for this type of exposure there should be criminal liability for developers and executives. Criminal negligence and prison time.
outime
If developers are going to face criminal liability, they should IMHO also have legal ways to push back against certain implementations without risking their jobs, or at least have a way to leave a legal justification somewhere: "I'm doing this because I'm forced to but I disagree" which is then signed by management.
Until then, you're putting the weight of the law on the wrong side of the equation, since developers aren't the ones consciously making risky decisions.
danlitt
Most countries already have whistleblower laws. If you are living somewhere that has any kind of "wrongful termination" legislation, an employer asking you to commit a crime is an open and shut case. I would guess that all of the USA and Europe would have existing sufficient protections, for example (although the US never ceases to surprise me).
activestore
They won’t do it just for protection.
The state would need to offer an award, and maybe witness relocation
Get the top HN stories in your inbox every day.
At this point I get about 1-2 emails a year telling me some company has exposed my private data in some way. It’s completely routine.
We need a law mandating the company pays at least $1k per exposed record per customer or absolutely nothing will change. The current cost of “here’s a years worth of credit monitoring” doesn’t even amount to a slap on the wrist.