back to article US credit repair biz damages own security: 111GB of personal info exposed in S3 blunder

The National Credit Federation, a US credit repair biz, left 111GB of thousands of folks' highly sensitive personal details exposed to the public internet, according to security researchers. In yet another AWS S3 configuration cockup, Americans' names, addresses, dates of birth, photos of driver licenses and social security …

  1. Voland's right hand Silver badge

    "Credit repair". That sounds like a business Al Capone would have been proud to run. Probably similar business model too.

    1. Anonymous Coward
      Anonymous Coward

      Capone would be proud of this lot

      Probably similar business model too.

      It is exactly that model.

      I have had letters from a so-called "debt management" company essentially saying that they would do their damnedest to make sure I wouldn't get a new job or a new appartment unless I paid up first. They didn't seem to give a flying fuck about court orders saying I didn't have the funds to pay.

      Continuous harrassment on top, but as I said, they ignore court orders.

      Jail time is needed to stop this kind of abuse.

      1. Alan Brown Silver badge

        Re: Capone would be proud of this lot

        "Continuous harrassment on top, but as I said, they ignore court orders."

        Too bad you can't go back to the court with the evidence and file a contempt motion.

        Judges tend to dislike being ignored.

      2. TheVogon

        Re: Capone would be proud of this lot

        "I have had letters from a so-called "debt management" company essentially saying that they would do their damnedest to make sure I wouldn't get a new job or a new appartment unless I paid up first."

        I suspect they were just telling you the potential impact of a poor credit history and / or court debt judgements. They might have implied it was directly them to get you to pay their debt as a priority, but unless they are the creditor or they take you to court in reality it's your credit record.

        "Continuous harrassment on top, but as I said, they ignore court orders"

        Well in the UK at least if you tell them the debt is disputed and not to contact you again, it's illegal for them to harass you.

        Other court orders are likely irrelevant unless they pertain to this specific debt or you are declared bankrupt or protected while your assets are assessed. And a court observation that you don't currently have funds to pay doesn't stop them pursuing you when you do.

        Guessing you are in the US see:

        https://www.creditcards.com/credit-card-news/court-judgment-debt-gavel-main-1282.php

    2. TheVogon

      "when they accidentally configure S3 buckets to be public"

      How could you ever do that accidentally? It takes deliberate effort. If you really did that without understanding then what are you doing managing cloud infrastructure?

      1. Lysenko

        "when they accidentally configure S3 buckets to be public"

        How could you ever do that accidentally? It takes deliberate effort.

        True, but in fairness, one has to note that the AWS security interface is viciously user-hostile for the sort of amateur who Amazon encourage to play with the system out. I don't think it is entirely coincidental that all these leaks seem to be AWS rather than OneDrive, DropBox, GDrive or any of the other clouds like Azure. There should be big red switches on the primary configuration screen, explicitly labelled "Allow access to all Internet users?" with a confirmation dialog noting:

        "If you are storing any personal information regarding individuals, activating this feature may be illegal in your jurisdiction, potentially leading to unlimited fines and/or imprisonment."

  2. Anonymous Coward
    Anonymous Coward

    This is becoming a huge problem and there really needs to be legislation that makes the companies and directors legally responsible. Identity theft is a very serious problem, it happened to me and I had to change my name.

    1. Anonymous Coward
      Anonymous Coward

      You can't legislate anti-stupidty behind the keyboard.

      1. Tom 7

        Re:You can't legislate anti-stupidity behind the keyboard

        No, but you can encourage people to put procedures in place to counteract the stupidity. Having your arse handed to you by the courts can encourage company bosses to actually ensure the stupidity is procedured out to the point of it being near impossible.

    2. Anonymous Coward
      Anonymous Coward

      "This is becoming a huge problem and there really needs to be legislation that makes the companies and directors legally responsible. "

      There is and they are. Currently it's covered by the Data Protection Directive and from next year its the General Data Protection Regulations. The potential fines are vast and deliberate infringement can result in prison time.

      1. Anonymous Coward
        Anonymous Coward

        The GDPR is a very good start but it depends on how it's implemented and whether they follow through with the fines because what happens when you have a "too big" company like google, microsoft or facebook? Could they threaten to pull services in the EU in response and what would the EU's response to that be?

        Deliberate infringement would be very hard to prove, just because someone didn't apply a security patch or something like that would not be classed as deliberate infringement. I can't really see where deliberate infringement could apply because then you would be trying to harm your own company which is never going to happen.

        1. TheVogon

          "The GDPR is a very good start but it depends on how it's implemented"

          We already know that - the laws are in place and take effect next year.

          "because what happens when you have a "too big" company like google, microsoft or facebook? "

          As they all have offices in the EU fines would be easily enforceable

          "Could they threaten to pull services in the EU in response"

          Presumably they could.

          "and what would the EU's response to that be?"

          I would guess it would be- "go on then". The EU is after all a larger market in terms of both population and GDP than the US.

      2. Missing Semicolon Silver badge
        Unhappy

        "deliberate infringement can result in prison time"

        Ha. But it never will.

        Not for anything other than Mom-and-Pop businesses.

        If you're big enough to lose millions of records, you're "too big to fail"

  3. RichardEM

    Putting someone in jail for maybe 2-5 years while there families can get on with there lives I don't believe has been shown to have any real effect on the companies that have OUR DATA.

    Until there are real consequences to the upper management of these companies (as part of that group of people I mean those that allocated what to spend to protect OUR DATA) such as large monetary penalties that are not covered by company or personal insurance so the people responsible, and their families, can feel the consequences of not doing everything that is necessary to protect the customers sensitive data. as part of that group of people I mean those that allocated what to spend to protect OUR DATA

  4. Mark 110

    Not identities worth stealing

    "The data store would have been a treasure trove for identity thieves and fraudsters, although there is no evidence information was lifted by miscreants."

    Maybe. Not really much point in stealing the identities of people that need help with their credit score. Its still incredibly clumsy though.

  5. Anonymous Coward
    Trollface

    I'll bet they had nothing to hide...

    I'm starting to sound like a broken record because I've posted something like this quite a few times now but yah, they keep providing us with good examples.

    See title: I'm pretty sure their customers had nothing to hide, but as always that's not the primary concern when it comes to privacy and such. The real concern is how the other party is going to (ab)use all the collected data.

    And here we are, once again an excellent example. Let the identity theft games begin!

    Ironic isn't it: if you want to store information related to credit cards you'll have to go through a ton of hoops (PCI compliancy for example) before they'll let you off the hook. And the credit card companies themselves? Well, they seem to have no problems with just dumping all their data onto a public storage facility.

    If an individual does this there'd be massive fines to pay, but I'm sure that's all "different" for these guys.

  6. Anonymous Coward
    Anonymous Coward

    Yet they are still rushing

    to move everything into the Cloud.

    How many more breaches (and subsequent loss of PR and Fines) like this will companies need before they stop and think that this might not be a good decision.

    Sadly, they won't stop and more breaches will happen. Repeat and rinse.

    1. a_yank_lurker

      Re: Yet they are still rushing

      My problem with the cloud is very sensitive data does resides on someone else's hardware. Aside from misconfigured databases and services, if you do not own the hardware you really do not control the data.

      Kim Dotcom got into trouble as Megaupload contracted storage out and one of the companies was US based.

  7. Trigonoceps occipitalis

    There's a Hole in My Bucket

    Dear Lisa, Dear Lisa,

    There's a Hole in My Bucket,

    Dear Lisa, a Hole.

    With What Do You Fill It,

    Dear Henry, Dear Henry,

    With What Do You Fill It,

    Dear Henry, With What?

    Why, Data,

    Dear Lisa ...

  8. DougW
    Devil

    If three lefts make a right what do three wrongs make?

    Have to wonder what the black market value is for data on some slob^W fine individual with a credit score so dismal that they thought "credit repair" was a better choice than the ones they have already made?

  9. erikborgo

    "Entire Universal Credit Claimants' Database leaks on Amazon Web Services"

    ...maybe Ladbrokes would accept a bet...

  10. Winkypop Silver badge
    Facepalm

    All your leak are belong to us

    They only had one job...

    1. Korev Silver badge
      Coat

      Re: All your leak are belong to us

      Quite, what kind of a vegetable leeks data all over the place

  11. Nimby
    FAIL

    Basic Security 101 - Failed

    The problem is that companies don't even follow basic security practices for handling this kind of data. The cloudy bitbucket is bad enough, but even then, had the data been properly encrypted, hashed, salted, with important columns separated into separate databases on unique servers / buckets, then the damage of exposure (whether hack or just bad configuration open to world + dog) would be minimal.

    How many more decades do we have to go before companies are held significantly liable just for the fact of not storing the data according to basic security practices defined ages ago?

    I'm not even asking for anything interesting or advanced. Just Basic Security 101 would be a massive improvement over "one server, one database, unencrypted, unprotected, open to world".

    1. TheVogon

      Re: Basic Security 101 - Failed

      "How many more decades do we have to go before companies are held significantly liable just for the fact of not storing the data according to basic security practices defined ages ago?"

      They already are responsible and there have been plenty of fines. The GDPR makes the fines vastly larger from next year. And makes the requirements much more specifically defined.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like