- Security researcher finds unsecured 38GB database containing 10,820 records
- Names, postal addresses, and more were leaked to the open internet
- The archive, owned by IMDataCenter is now shut down
IMDataCenter, a Florida-based data hygiene, enhancement, and append services provider, has been found leaking thousands of sensitive personal records to the open internet.
Security researcher Jeremiah Fowler discovered an unencrypted and non-password-protected database, containing 10,820 records. It was 38 GB in size, with the majority of files being .CSV spreadsheets with “many thousands or hundreds of thousands of rows of PII.”
There is no evidence of abuse in the wild just yet, but the PII (Personally Identifiable Information) included people’s names, postal addresses, email addresses, phone numbers, and lifestyle or ownership information.
Locking down the database
“The records appeared to be a storage repository for client orders labeled “reports” and “results”,” Fowler told Website Planet.
“Files names indicated these lists were used for multiple purposes, including sales and marketing leads for industries such as insurance, solar, elections, car warranties, hospitals, healthcare providers, and more.”
IMDataCenter is a Florida-based division of Brooks Integrated Marketing, offering a platform for marketing data improvement, including identity resolution, phone and email appending, Complete Integrated Marketing Append (CIMA), and more.
The platform’s data library spans 260 million individuals, 130 million households, 600 million emails, 550 million phone numbers, and more.
Fowler reached out to the company to warn them about the leaking information, and the database was locked down soon after.
“Data security is really important to us too and we really appreciate you sharing this information with us,” they told the researcher. “We are working to secure the information ASAP”.
The researcher also stressed that many companies hire third-party service providers to own and manage such databases. It is unknown who maintains IMDataCenter’s one. It is also unknown if any malicious actors found the database in the past, or abused it for phishing, identity theft, or similar impersonation attacks.
You might also like
- Massive streaming service data leak sees over 324 million records breached – here’s what we know
- Take a look at our guide to the best authenticator app
- We’ve rounded up the best password managers