A concerning data security incident has come to light as an independent security researcher discovered over 600,000 unprotected sensitive records belonging to background check company SL Data Services.
The exposed database, a 713.1GB Amazon S3 storage bucket, contained private information including vehicle records, property documents, criminal records, and background checks - all without password protection or encryption.
Security researcher Jeremiah Fowler found that approximately 95% of the exposed files were background check reports containing detailed personal information. The documents included individuals' full names, addresses, email addresses, phone numbers, employment histories, social media accounts, and family member details.
The database also contained thousands of vehicle-related records with license plate numbers and vehicle identification numbers (VINs), along with property ownership documentation.
During the investigation period, the number of exposed records grew by an additional 150,000 files. Attempts by the researcher to contact SL Data Services about the security lapse went unanswered.
The incident follows a string of recent data breaches affecting background check companies. National Public Data (NPD) suffered a major breach earlier this year that led to 2.9 billion records being offered for sale on hacking forums, ultimately forcing the company into bankruptcy.
In another case, B2B firm DemandScience reported potential exposure of sensitive data through a compromised third party.
The researcher recommends that companies handling sensitive data should implement stronger security measures, including:
- Using randomized and hashed identifiers instead of personal information in file names
- Avoiding predictable naming patterns for files
- Maintaining careful monitoring of access logs to detect suspicious activity
The total duration of the data exposure and whether any unauthorized parties accessed the information remains unknown.
This incident highlights ongoing concerns about data broker security practices and the vulnerability of sensitive personal information in cloud storage systems.