Astro Hacker News - 1B identity records exposed in ID verification data leak

neya |next [-]

If I was in Vegas, I would bet my life savings that the CXOs of the said ID Verification company's data isn't included in the leak. This is just like that Mc Donald's CEO's video - they never use what they create.

esperent |next |previous [-]

This is actually a Fox News article and as far as I can see it's not corroborated anywhere.

I saw a reddit thread about it earlier where someone said the apparent hacker refused to actually show any of the data and was asking for money. So probably just a scam rather than a real leak.

cataflam |next |previous [-]

Almost a month old, original source: https://cybernews.com/security/global-data-leak-exposes-bill...

and I've never seen any confirmation elsewhere

Looks like CyberNews have edited the article with more info since first I saw it, it used to look quite suspicious and untrustworthy, it now has more info. Still doesn't say exactly what a record is, or how many uniques there are.

tootie |root |parent [-]

It's a weird article. Foe one, the researcher says "they believe" the data belongs to IDMerit but apparently aren't sure. IDMerit denies it's the owner of the data nor is it any of their partners. And there's very few details about where or how they found this database. It's possibly some kind of hoax or ransom attempt? Or there's really just billions of unaccounted databases of private data just sitting all over the Internet.

bilekas |next |previous [-]

> That review identified no exposure, vulnerability or unauthorized access within the IDMERIT environment

The fact that they didn't vet their data providers then has to be considered a form of negligence. In the end, its the company I am handing over my details to to act responsibly, not their providers.

I hate this responsibility delegating when its not a good luck, and this will continue to get worse now as the entire internet will be ID gated soon. But don't worry, all the lapse in privacy and even security in the name of 'saving the kids'.

egorfine |next |previous [-]

KYC = Kill Your Customer.

whatsupdog |next |previous [-]

Where the F does IDMerit even get all this data from? They have names, DOBs, addressed, phone numbers, national identity numbers for over a billion people? How?

wongarsu |root |parent |next [-]

The 1B number would contain multiple records per person.

For example if I (as a German in Germany, ymmv) open a bank account online that involves a call with one of these companies where they take pictures and information from my passport and check that that's me. Then I choose payment in installments on some online shop, same game. Apply for a small loan? Same game. Set up an account for trading (stock exchange or crypto)? You guessed it, another call. Another payment in installments, backed by the same bank? Apparently verifying my identity again is easier than checking their database. Each of those is another record. Potentially with a new identity document, but mostly just the same data confirmed again with another timestamp

Not all of them use the same identity verification service, but there aren't that many. And I wouldn't be surprised to learn that many are the same company under different brands

uean |root |parent |next |previous [-]

Makes sense if the ID verification process involves scanning a driver license or passport.

Edit- rereading this, you’re obviously talking about scale.

shakna |root |parent |previous [-]

A record is not necessarily unique. Name changes, address changes, phone number changes, can all create "new" records in dumps like these.

|next |previous [-]

mbix77 |previous [-]

What did measures like gdpr ever achieve except for making me click a cookie prompt away.

Rygian |root |parent |next [-]

Actual punitive measures taken against entities who e.g. manipulate personal data in a negligent way. [1]

Which was much harder to achieve before.

[1] https://www.enforcementtracker.com/

loloquwowndueo |root |parent |next |previous [-]

Right to be forgotten - you can ask companies to delete data they hold on you.

Data ownership/portability : you can ask companies for a copy of all data they hold on you or related to you.

I’ve seen the latter used by job applicants to get an entire copy of their interviews, transcripts and assessments including the reason for not being hired.

pjc50 |root |parent |next |previous [-]

GDPR doesn't apply in the states, but hopefully it provides for some punishment for the poor security here for EU customers. Of course, then some Americans will get mad that a US company has to follow EU law.

bilekas |root |parent |next [-]

> Of course, then some Americans will get mad that a US company has to follow EU law.

This is always the way of the world though, if you want to do business anywhere, you are of course obligated to follow the local laws and regulations. I don't see anyone disputing this outside of blatant patent infringement by certain countries.

ralferoo |root |parent |previous [-]

The GDPR applies worldwide to any data held about EU or UK citizens, regardless of where they reside. It does apply in the US, it's just potentially harder for the EU to enforce meaningful penalties for infractions.

etothepii |root |parent |previous [-]

In the UK open banking was essentially a response to GDPR this has allowed (to a limited extent) a variety of tools to be built on top of bank accounts that others would not have been.

pjc50 |root |parent [-]

That was actually the two Payment Services Directives: https://blog.finexer.com/guide-to-psd2-regulation-for-open-b...