an exposed MongoDB database containing nearly 1 terabyte of personally identifiable information (PII) exposing approximately a billion sensitive records across 26 countries.
Not even a hack. Pure incompetence and negligence.
If everyone is selling my personal information and I’m not getting my cut then I see a class action lawsuit in the not too distant future. Who’s with me?
KYC isn’t evil. It’s literally the operational piece that says stuff like “If someone named Vladimir Putin tries to open a bank account with you, you should know if he’s THAT putin or not, especially as it may get your business in serious trouble related to gov sanctions etc”. The government, quite literally, sends auditors to Banks and Credit Unions every 2-3 years to make sure you do this sort of due diligence.
The issue with KYC is that it’s farmed out to third parties that focus on scale and cutting costs. It’s in the same general space as something like Credit Scores – Banks/Credit Unions don’t maintain their own credit scores for people so much, as they just buy that score information from Equifax / Transunion etc.
Really, what I imagine people should be pushing for instead of this piecemeal whining, is something closer to what Estonia has for its citizens. A highly integrated government-based portal that allows citizens to do things like Register a New Small business in 15 minutes, and to see which organisations have access to their gov ID info. From what I understand, citizens basically get given PINs as part of their gov IDs, which they can disclose to banks/businesses, who can subsequently access basic required read-only details about that person via the gov portal. So your bank needs to know who you are? No problem, you let them know your pin when you setup the account – and the banks system is then able to pull just the basic info from your gov account to meet the banks operational needs / regulatory obligations whether you’re there in person or not. And as a citizen, if you want to check your privacy disclosures to third parties, you just log in to the gov site, and see a list of which businesses have access to your data – and I imagine you’d get the option to cancel their access if you wanted to (so when you close an account at a business, you pop in to the gov site and also clip their ongoing access). From what I gather, that sites a one stop shop for all gov stuff, so it’s also where you go for tax stuff, drivers lics, the works. Makes it a LOT simpler for citizens, as you don’t need to sort out what esoteric stupid sub site / domain you need to visit to see if you qualify for a rebate or whatever – so it seems like a big improvement from a user experience side.
ALL THAT SAID, that shift would put more onus on the consumer in some ways, as they’d need to log in to a gov site etc – like it’s bad enough trying to explain MFA to old people, imagine trying to make this shift! You’d also need a government that was willing to actually do stuff for the people – I think Estonia only went that way, as an attempt to shield themselves from massive attacks from Russia. They want their gov fully functioning in the cloud, including elections etc, so that even if they end up like Ukraine, they can still “function” remotely. Consumers are a big issue for anything security related too, as practically no one changes banks / FIs based on security – it’s almost entirely rate oriented for mortgage holders. Tell a consumer they can get a 0.2% better rate by going with the bank that doesn’t fuss security, they’ll take it. Try and market your bank/FI as being more security conscious, it won’t generally draw in new members based on that alone.
Like, again using Canada as an example, we’ve had a year of the US antagonizing us and threatening economic ruin / annexation. Lots of Canadians are keen not to buy American products as a result. Almost all of Canadas banks/CUs use US partners/outsourcing within their stack: places like Vancity Credit Union, for example, are using Intellect Design’s product for their online banking, which is a partner owned by an India parent company (with little/no presence in Canada), which hosts its stuff on Microsoft’s cloud. Most Credit Unions in the country are likely going to go the same way in the next couple years – even though it’s a huge security risk, and highly likely that both India and the USA will gain access to all your data, let alone sketchy third party’s like India’s fraud centers. There are a couple Credit Unions in Canada that actually maintain stuff (almost entirely) in Canada. But that’s not enough to entice people to use those organisations, so they’re all dying out / merging as a result of a lack of members (and regulatory overreach / decrees).
They should publish the names of the companies which datasets have been involved. NOW.
the name of the company is known. it’s IDMERIT: https://www.idmerit.com/
Yes, but the point is that they seem to have data for or on behalf of a load of different companies, probably in the telco department.
Other companies outsource their KYC compliance to them.
Exactly. And this is the list of company names we need.
At some point so much data will have been leak that there will be no new data to leak, right?
Why the hell would you use an AI tool for giant data sets of sensible data? Someone needs to go to jail and that company shouldn‘t exist any longer.
I think about this kind of simplistically.
Firstly, answer to yourself is it practically possible to store and use vast amounts of data safely, without risk of being compromised?
If you say no, then we shouldn’t be doing this. If you said yes:
Since you think it is practically possible to do safely, the penalty for any company who fails to do this should be instant corporate death. Automatic nationalization and liquidation to compensate the victims. People who are found in court to be responsible should face severe consequences. Criminal negligence, multiple counts.
That’s the only way I see to get all of these data hoarding fucks to take it seriously.
/end pipe dream
Something something not their fault, suffering from lead deficiency.
The core purpose of KYC - to make it harder to launder money, and for the ultra rich to hide away their ill gotten gains - is not evil, far from it.
The fact the very same people which benefit from a perception that KYC is evil and/or ineffective, are the same people making the decisions to penny pinch on security which directly lead to data breaches, is obviously a complete coincidence!
Bruh, the ultra rich have operated state sanctioned child rape islands for several decades. Do you really think KYC has any impact on their crimes?
If so, I have a bridge you might be interested in acquiring…
those crimes in specific? no.
in how they carried out specific other crimes? yeah, it changed methodology at very least. it sounds like you don’t understand KYC. it was not targeted at sex trafficking. it’s aimed at financial crimes.
I was not equating those crimes. I was highlighting the fact that we live in multi-tiered legal and justice systems that are proportional to wealth.
HSBC enabled fraud for organized crime in the hundreds of billions, and they didn’t face even remotely equivalent consequences. Was anyone even criminally prosecuted?
How about the people only accept measures that impose great risk to the privacy of the working class once corporate and political criminals face the same level of “justice” and consequences as the working class? Why should consumers accept paper straws while corporations are free to increase plastic waste exponentially?
I was not equating those crimes
uh yeah you were
KYC does nothing against rich people. Panama Papers came out and nothing happened. Law enforcement does not target rich people.
Yep. KYC is to stop the movement of funds that could be used to undermine the system. A.k.a terrorism.
Terrorism as defined by whom? Because those protesting Israel are soon terrorists. Animal rights defenders. Environmental protesters especially opposing oil pipelines and the like, climate protesters, people protesting the police, etc.
This is going to get really bad, the mask is off, they aren’t pretending to operate government according to the rules, or to be believable. The terrorists they will be targeting are those protesting the plutocracy ass fucking people without their consent.
Exactly. Anything that undermines the billionaire narrative.
Also tax evasion.
I agree that KYC isn’t inherently evil. But the way its been weaponized is.
For instance in the telecommunications space it make total sense for mitigating spam SMS messages and Robocalls. But the carriers all sell your data for profit. They also don’t protect your data properly and are breached all the time. That’s malicious.
So no, I won’t throw the baby out with the bathwater and agree its an oversimplification to simply call KYC evil. But I also don’t blame people when all they see is abuse and never a good and proper implementation that isn’t exploitative.
There’s also an execution problem.
Truly knowing your customer might produce very different outcomes than the current compliance checkbox approach.
“I know Fred just sold his old car. The idea he suddenly has $12k in cash is not suspicious” or “Jane’s been talking about going to Montreal for momths. We should not block her card when it lights up there.”. That’s real KYC, but it requires human connection and human judgement, which doesn’t scale and doesn’t provide the right paperwork for demonstrating compliance with arbitrary mandates.
There’s also an execution problem.
There absolutely is. Way too many of these fuckers are still breathing.
Last week, we published our team’s findings about an exposed Elasticsearch cluster that contained over 160 indices and held 8.7 billion primarily Chinese records, ranging from national citizen ID numbers to various business records.
Last December, the team uncovered an unprotected database containing 4.3 billion records, some of which included LinkedIn-derived personal information. The 16TB-strong instance contained emails, photos, employment histories, and other personal data. A single collection alone contained 732 million records, including photographs.
In July, Cybernews covered one of the largest data leaks in history, after researchers discovered several collections of login credentials, containing 16 billion records. The team found 30 exposed datasets, each containing tens of millions to more than 3.5 billion records.
The leaked data included login info for just about every online service, including Apple, Facebook, Google, GitHub, Telegram, and even government platforms.
Damn…
60m records in Germany. That 3/4 of the population. The US has 350m inhabitants. 200m leaked records accounts for more than half!
Gotta love how the blog is nothing but “We’re awesome, data leaks cannot happen with our architecture”. Something about advertising too much is making up for lack of actual skill or something
I’m a software and systems architect. Architecture won’t save you if the implementation is crap. That’s just marketing jive talk.
Rewriting history
Is this why my phone was suddenly enrolled in half a dozen text notification services at the same time last week? Or was that a different massive-scale data leak? It’s hard to keep track at this point.
“At this scale, downstream risks include account takeovers, targeted phishing, credit fraud, SIM swaps, and long-tail privacy harms. Industry-wide, the case underlines how third-party identity vendors have become critical infrastructure and can become single points of catastrophic failure,” our team explained."
Wouldn’t Username + Password + SIM = 2FA password reset?
It would for all the financial industry that refuses to move to a real 2 factor system.
The Cybernews research team discovered an exposed MongoDB database containing nearly 1 terabyte of personally identifiable information (PII) exposing approximately a billion sensitive records across 26 countries.
Welp. I guess, time to change passwords.
holy shit I used this exact method this week at work to extract a paid-for database for free.
This happens every now and then, new or old data, several accounts, sometimes billions. Far too frequently.
If the GDPR were worth a damn, this leak of over 200M data subjects’ data should be more than enough to completely liquidate this company to pay for damages.
