Into the Exposed Database Hall of Shame comes a new entry: an unprotected cloud repository listing the names, dates of birth and street addresses of the adults in 80 million U.S. households, as found by two Israeli researchers.
That's approximately two-thirds of the households in the U.S., according to CNET, which spoke with the researchers. An identity thief who got hold of the data would have a field day, as full names, current addresses and exact dates of birth are 3/4 of the identity-theft quadrifecta --
match a Social Security number with any of those entries, and you're done.
The good news is that the researchers aren't revealing the database's online location. The bad news is that they don't know to whom it belongs, and can't tell its owner to fix it until they figure that out.
As detailed in the VPN Mentor blog, researchers Noam Rotem and Ran Locar found the 24GB database hosted on a Microsoft cloud service (presumably Azure, but we don't know for sure) earlier this month. The database seems to have been up since February.
The VPN Mentor blog post, penned by a pseudonymous "Guy Fawkes," doesn't specify exactly how the database was left unprotected. Sadly, it's pretty common for companies to throw sensitive information up on an Amazon Web Services or Microsoft Azure cloud server without securing it properly.
The data also includes marital status, gender, income, homeowner status (i.e., whether the home is owned or rented) and type of home (apartment, house, etc.).
"This made us suspect that the database is owned by an insurance, healthcare or mortgage company," the blog post said. "However, information one may expect to find in a database owned by brokers or banks is missing. For example, there are no policy or account numbers, Social Security numbers or payment types."
Another tantalizing tidbit -- "despite searching thousands of entries, we could not find anyone listed under the age of 40."
VPN Mentor assumes that this database belongs to an online service that collected this information from people who signed up for it voluntarily, but there don't appear to be email addresses or telephone numbers in the database -- street mailing address appear to be the only contact information.
The demographic information listed here is pretty easy to obtain from commercial data brokerages if you're willing to pay well. We suspect this database may be related to a marketing company that sells condos in Florida, or maybe even the AARP, which somehow knows exactly when your 50th birthday is coming up so that it can start sending you junk mail.
If you have a good idea of whose database it might be, drop VPN Mentor a line at firstname.lastname@example.org.