- Breach by SL Data Services exposed 600,000 pieces of personal data
- Records contain full names, addresses and financial information
- The database was not password protected
It has been discovered online that an SL Data Services database containing hundreds of thousands of records is public and not password protected or encrypted.
Cybersecurity researcher discovered more than 640,000 PDF files (713.1 GB) Jeremiah Fowlerwhich revealed this included vehicle records, court records and property ownership reports. The documents were primarily labeled “background checks” and included full names, addresses, email addresses, employment information, social media accounts, phone numbers and criminal records.
It is not clear how long the information was openly accessible, but after the Responsible Disclosure Notice was sent, the information was restricted a week later. The database may be owned by a third party contractor, or directly by SL Data Services.
Background check information
Since the vast majority of information disclosed came from background checks, there is a very real possibility that these were conducted without the knowledge or consent of the person whose information was disclosed.
This makes many people vulnerable, especially to social engineering attacks, as criminals can easily use sensitive information to deceive victims, using information about family members, financial information or employment details.
If such extensive personally identifiable information is made public, there is also a risk of identity theft, exposing victims to serious financial losses.
There is no evidence yet that criminals have accessed the open database or collected sensitive information, but now that information is limited, researchers will likely keep an eye on the dark web to see if the data is for sale.
This isn’t the first data breach this year by a background check company, as National Public Data suffered one of the largest data breaches ever in August 2024 and is now facing a class action lawsuit for failing to protect personal data.