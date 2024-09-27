Hot on the heels of the National Public Records data breach, which leaked more than 2 billion records, another background check firm has now had a leak.

The company in question, MC2 Data, exposed the sensitive data of around one-third of the U.S. population – 106 million people – to the entire internet.

While data leaks are sometimes unavoidable, in this case, MC2 Data is fully responsible, as it left a database containing 2.2TB of personal data passwordless.

MC2 Data’s negligence led to the data leak

Cybernews broke the story of this security incident, noting that on Aug. 7 its research team discovered that MC2 Data had left a database containing 2.2TB of personal data unprotected and easily accessible to anyone on the internet.

The database contained 106,316,633 records with private information about U.S. citizens, and Cybernews estimates that at least 100 million individuals were affected by this massive data leak.

The leaked data included names, emails, IP addresses, user agents, encrypted passwords, partial payment information, home addresses, dates of birth, phone numbers, property records, legal records, and family, relatives’ and neighbors’ data as well as employment history. MC2 Data even exposed data of 2,319,873 users who subscribed to its services, including individuals and organizations needing background checks.

What was the company doing with all that data anyway?

As I mentioned, MC2 Data is a background check firm. It was probably using the data to provide background check services, gathering information on people for clients like employers, landlords or organizations needing to verify things like identities or employment history.

While data collection like this is pretty standard in the background check industry, companies are required to follow strict rules. They have to comply with federal, state and local regulations to make sure their operations are legal and that people’s data stays protected.

“Background-checking services have always been problematic, as cybercriminals would often be able to purchase their services to gather data on their victims,” said Aras Nazarovas, a Cybernews security researcher.

The data leak is a gold mine for cybercriminals

The world’s most valuable resource is no longer oil but data. Everyone from big tech companies to cybercriminals to small-time marketers is willing to pay a premium for access to this vast amount of information. The biggest concern, however, lies with cybercriminals who can use this data for identity theft and other malicious attacks.

The leaked information of subscribers is particularly concerning, as these individuals could be high-value targets for cybercriminals. The subscribers may include employers, landlords, law enforcement and similar entities.

MC2 Data is yet to issue a statement confirming the breach. We reached out to MC2 Data for a comment but did not hear back before our deadline.

It’s time to invest in identity theft protection

Cybercriminals who have access to this data may attempt identity theft, but with an identity theft protection service, you'll be notified if and when you are affected. Identity theft companies can monitor personal information like your Social Security number, phone number and email address and alert you if it is being sold on the dark web or being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.

One of the best parts of using some services is that they might include identity theft insurance of up to $1 million to cover losses and legal fees and a white-glove fraud resolution team where a U.S.-based case manager helps you recover any losses. See my tips and best picks on how to protect yourself from identity theft.

4 ways to protect yourself from data breaches

In addition to opting for an identity theft protection service, you can follow these tips to protect yourself from data breaches.

1. Remove your personal information from the internet: While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with the information they might find on the dark web, making it harder for them to target you.

2. Be wary of mailbox communications: Bad actors may also try to scam you through snail mail. The data leak gives them access to your address. They may impersonate people or brands you know and use themes that require urgent attention, such as missed deliveries, account suspensions and security alerts.

3. Be cautious of phishing attempts: Be vigilant about emails, phone calls or messages from unknown sources asking for personal information. Avoid clicking on suspicious links or providing sensitive details unless you can verify the legitimacy of the request. The best way to protect yourself from clicking malicious links that install malware is to have strong antivirus protection installed on all your devices.

4. Monitor your accounts: Breaches of this magnitude will make it a necessity for you to start routinely reviewing your bank accounts, credit card statements and other financial accounts for any unauthorized activity. If you notice any suspicious transactions, report them immediately to your bank or credit card company.

Kurt’s key takeaway

When your business model relies on collecting people’s data and providing services based on that information, you must do everything possible to protect it. This is not only a moral responsibility, it’s also a legal requirement. MC2 Data has failed to meet this obligation, and its negligence puts millions of Americans at risk, many of whom were unaware their data was being collected by the firm. Companies should face strict legal actions and hefty penalties for such incidents rather than just receiving a slap on the wrist.

What do you think should be the consequences for companies that fail to protect consumer data? Let us know by writing us atCyberguy.com/Contact.

