Sadly, massive data breaches have become so common that they usually surprise no one. But the latest breach is surprising lots of people because, as of now, no one knows who is behind it.
On April 29, Ran Locar and Noam Rotem — who are a pair of security researchers — announced in a blog post that they had found an unsecured database on Microsoft's Azure cloud platform that was publicly accessible. This 24 GB database reportedly contains personal information about 80 million American households. This personal information includes among other things:Full names Full addresses Longitude and latitude coordinates of the addresses Dates of birth and ages Marital statuses Homeowner statuses and dwelling types Income bracets In response to the disclosure, Microsoft announced through a spokesperson that they had notified the database's owner and that this person or persons had removed the database from public access. At the same time, though, Microsoft refused to reveal who this owner is, and Locar and Rotem have yet to have discovered this information as well.
At the moment, no one knows if any malicious party had accessed the data, nor does anyone know how long this data had been publicly available. The two researchers indicated that while they did review the information in the database, they did not actually download the database itself. They also indicated that they exposed the breach in the hope that others would then be able to identify the owner.
Just How Big Is the Breach?
80 million American households may sound like a lot of people, and it is. As of 2017, there were less than 130 million households in the entire United States. This means that the breach exposed the data of more than 60% of U.S. households. As a household consists of all people who reside in a particular home, there is no way of knowing just how many individuals had their personal data exposed.
Who Are the Researchers Who Exposed the Breach?
Locar and Rotem are researchers who are utilizing port-scanning techniques to complete a web-mapping project that they are working on. During the course of their research, they have found both data breaches and security vulnerabilities throughout the publicly accessible portion of the cloud.
Usually, the two men have been able to determine the ownership of any exposed data and have notified these owners prior to making the information public. But in this particular case, they have found no identifying information.
The researchers, though, believe that the database in question was tied to some kind of service. They believe this because in each entry of the database they found the terms "score" and "member_code." Another interesting aspect of the data is that all persons listed in the database are over 40 years of age. Because of this, the researchers think that a certain type of company owns the data, such as mortgage provider, a healthcare provider or an insurance company.
The researchers also noted that no identifying personal numbers were included in the data, such as Social Security numbers, account numbers or payment information.
Is the Breach Dangerous?
While the data breach did not expose Social Security numbers or any personal identification numbers, the researchers believe that the data contained within the database is sufficient for a criminal to use it to commit identity theft. They also believe that criminals could use the information to stage a targeted ransomware attack.