Easy come, easy go. A data broker that specializes in scraping public sources like LinkedIn to create salable marketing profiles had their stash of valuable info stolen, in an incident that first went public in February of this year. Unfortunately, the consequences of all this extend to millions of people.
The data broker, DemandScience, has only just now confirmed it was the source of 122 million records offered for sale on BreachForums earlier in the year. However, DemandScience insists that it has not detected an internal breach and that the data must have been taken from a contractor or partner.
Data first scraped, then stolen without data subject awareness
Data brokers in the US face little in the way of regulation of their creation of user profiles, particularly when they are cobbled together from scraped information. That usually falls on platforms, which almost always restrict this practice in the terms of service but also struggle to stop it from happening anyway.
This is far from the first time a data broker has been hit for tens or even hundreds of millions of records, and in some cases it did not even involve hacking. But these incidents never make the mainstream news or capture the attention of most of the impacted parties, in no small part because the brokers are able to operate so covertly in the first place.
There is no real federal recourse for these incidents, and the data subject would have to live in a state like California to even be able to opt out from the data brokers that collect and organize information in this way.
Data broker scraped information from LinkedIn, other public sources
It isn’t clear exactly what sources the data broker scraped information from, but LinkedIn and similar professional platforms are a safe assumption. The company packaged this information into B2B profiles meant to provide sales leads to buyers. Specific information included could vary by record but might include any or all of the following: full names, physical business addresses, email addresses, telephone numbers, job titles and functions, and social media links.
When the hacker first uploaded it to BreachForums earlier this year, the asking price was $6,000. That doesn’t appear to have drawn substantial interest as after a few months it had been reduced to just a few dollars for access. DemandScience has since issued a statement that it does not deal in any non-business personal information, financial information or highly sensitive details such as Social Security numbers, so this dump-off likely reflects there not being much non-public information of interest in the collection. There were some initial reports that hashed passwords might have been included in the collection but this has since been debunked by HaveIBeenPwned’s Troy Hunt, who published a deep dive into the stolen data on his blog.
The hacker who stole the data is a known quantity that has been particularly active this year, but also has a spotty track record for honesty about their offerings. “KryptonZambie” is responsible for a legitimate March breach of popular AI photo editing tool Cutout.Pro that exposed 20 million user records, but also backed off of an April claim of having stolen a mass of photo IDs from the Philippines government when BreachForums users scrutinized the story.
The most salient point of the story would appear to be DemandScience’s admission that a “deprecated” system, possibly belonging to some sort of partner, was the source of the breach. The incident certainly renews questions about how data brokers should be regulated, but also serves as a general reminder for organizations to keep inventory of data as well as vendor and partner access; ideally through the use of a configuration management database paired with an access management solution that both provide the capability to detect outdated and derelict systems that may be lingering as a potential liability.