1B identity records exposed in ID verification data leak

Posted by robtherobber 6 hours ago

1B identity records exposed in ID verification data leak(www.aol.com)

147 points | 33 commentspage 2

djohnston 3 hours ago|

aol.com!?!?

esperent 4 hours ago||

This is actually a Fox News article and as far as I can see it's not corroborated anywhere.

I saw a reddit thread about it earlier where someone said the apparent hacker refused to actually show any of the data and was asking for money. So probably just a scam rather than a real leak.

mapontosevenths 4 hours ago|

The Fox article just cites CyberNews.[0]

Cybernews posts screenshots[1] featuring usernames like idmKYCCN and idmKYCFR, and the ports were locked down after contacting ID Merit.

I think thay what's happened is that everyone is telling the literal truth and speaking very carefully to use that truth to obscure rather than inform. To hell with the victims. The way I intrerpet this is that their denials are both factually accurate AND misleading.

The partner who said there is "no indication that any customer data has been compromised" is telling the literal truth. They can't find any indicators because they stink at logging and the screenshots posted on CyberNews obscure the customer info intentionally. Instead Cyber News only shows the IDM usernames in plaintext. Which was the responsible thing to do They literally cant see any indications... of customer data... because they dont have logs.

It should also be noted that the Partners customer in this case is likely ID Merit... not the people whose information was stolen. So again, their statement was literally true even if they do find evidence of a billion records being leaked.

Nobody should ever trust anyone involved in this again if I'm correct in this interpretation of the available facts.

[0] https://www.foxnews.com/tech/1-billion-identity-records-expo...

[1] https://cybernews.com/security/global-data-leak-exposes-bill...

plagiarist 1 hour ago||

Yet another point of proof that the US needs a HIPAA covering PII.

mbix77 6 hours ago|

What did measures like gdpr ever achieve except for making me click a cookie prompt away.

Rygian 6 hours ago||

Actual punitive measures taken against entities who e.g. manipulate personal data in a negligent way. [1]

Which was much harder to achieve before.

[1] https://www.enforcementtracker.com/

loloquwowndueo 5 hours ago|||

Right to be forgotten - you can ask companies to delete data they hold on you.

Data ownership/portability : you can ask companies for a copy of all data they hold on you or related to you.

I’ve seen the latter used by job applicants to get an entire copy of their interviews, transcripts and assessments including the reason for not being hired.

saithir 3 hours ago|||

It's really a wonder how every time gdpr is even remotely related, there's always gotta be someone complaining about how gdpr is at fault for the cookie/data prompts, and never that sites and advertising companies (and their 2137 partners) are at fault for actually making those prompts as annoying as possible in hopes that you just agree.

akimbostrawman 2 hours ago|||

It makes you aware a site is selling your data or is otherwise tracking you because otherwise they would not need a banner to request for consents to do so :)

throwaway270925 3 hours ago|||

Since people still seem to conflate the two, let me say it loud and clear:

GDPR HAS NOTHING TO DO WITH THE COOKIE PROMPTS!

etothepii 5 hours ago|||

In the UK open banking was essentially a response to GDPR this has allowed (to a limited extent) a variety of tools to be built on top of bank accounts that others would not have been.

pjc50 5 hours ago||

That was actually the two Payment Services Directives: https://blog.finexer.com/guide-to-psd2-regulation-for-open-b...

pjc50 5 hours ago||

GDPR doesn't apply in the states, but hopefully it provides for some punishment for the poor security here for EU customers. Of course, then some Americans will get mad that a US company has to follow EU law.

bilekas 4 hours ago|||

> Of course, then some Americans will get mad that a US company has to follow EU law.

This is always the way of the world though, if you want to do business anywhere, you are of course obligated to follow the local laws and regulations. I don't see anyone disputing this outside of blatant patent infringement by certain countries.

ralferoo 5 hours ago|||

The GDPR applies worldwide to any data held about EU or UK citizens, regardless of where they reside. It does apply in the US, it's just potentially harder for the EU to enforce meaningful penalties for infractions.