an exposed MongoDB database containing nearly 1 terabyte of personally identifiable information (PII) exposing approximately a billion sensitive records across 26 countries.
Not even a hack. Pure incompetence and negligence.
KYC isn’t evil. It’s literally the operational piece that says stuff like “If someone named Vladimir Putin tries to open a bank account with you, you should know if he’s THAT putin or not, especially as it may get your business in serious trouble related to gov sanctions etc”. The government, quite literally, sends auditors to Banks and Credit Unions every 2-3 years to make sure you do this sort of due diligence.
The issue with KYC is that it’s farmed out to third parties that focus on scale and cutting costs. It’s in the same general space as something like Credit Scores – Banks/Credit Unions don’t maintain their own credit scores for people so much, as they just buy that score information from Equifax / Transunion etc.
Really, what I imagine people should be pushing for instead of this piecemeal whining, is something closer to what Estonia has for its citizens. A highly integrated government-based portal that allows citizens to do things like Register a New Small business in 15 minutes, and to see which organisations have access to their gov ID info. From what I understand, citizens basically get given PINs as part of their gov IDs, which they can disclose to banks/businesses, who can subsequently access basic required read-only details about that person via the gov portal. So your bank needs to know who you are? No problem, you let them know your pin when you setup the account – and the banks system is then able to pull just the basic info from your gov account to meet the banks operational needs / regulatory obligations whether you’re there in person or not. And as a citizen, if you want to check your privacy disclosures to third parties, you just log in to the gov site, and see a list of which businesses have access to your data – and I imagine you’d get the option to cancel their access if you wanted to (so when you close an account at a business, you pop in to the gov site and also clip their ongoing access). From what I gather, that sites a one stop shop for all gov stuff, so it’s also where you go for tax stuff, drivers lics, the works. Makes it a LOT simpler for citizens, as you don’t need to sort out what esoteric stupid sub site / domain you need to visit to see if you qualify for a rebate or whatever – so it seems like a big improvement from a user experience side.
ALL THAT SAID, that shift would put more onus on the consumer in some ways, as they’d need to log in to a gov site etc – like it’s bad enough trying to explain MFA to old people, imagine trying to make this shift! You’d also need a government that was willing to actually do stuff for the people – I think Estonia only went that way, as an attempt to shield themselves from massive attacks from Russia. They want their gov fully functioning in the cloud, including elections etc, so that even if they end up like Ukraine, they can still “function” remotely. Consumers are a big issue for anything security related too, as practically no one changes banks / FIs based on security – it’s almost entirely rate oriented for mortgage holders. Tell a consumer they can get a 0.2% better rate by going with the bank that doesn’t fuss security, they’ll take it. Try and market your bank/FI as being more security conscious, it won’t generally draw in new members based on that alone.
Like, again using Canada as an example, we’ve had a year of the US antagonizing us and threatening economic ruin / annexation. Lots of Canadians are keen not to buy American products as a result. Almost all of Canadas banks/CUs use US partners/outsourcing within their stack: places like Vancity Credit Union, for example, are using Intellect Design’s product for their online banking, which is a partner owned by an India parent company (with little/no presence in Canada), which hosts its stuff on Microsoft’s cloud. Most Credit Unions in the country are likely going to go the same way in the next couple years – even though it’s a huge security risk, and highly likely that both India and the USA will gain access to all your data, let alone sketchy third party’s like India’s fraud centers. There are a couple Credit Unions in Canada that actually maintain stuff (almost entirely) in Canada. But that’s not enough to entice people to use those organisations, so they’re all dying out / merging as a result of a lack of members (and regulatory overreach / decrees).
If everyone is selling my personal information and I’m not getting my cut then I see a class action lawsuit in the not too distant future. Who’s with me?
At some point so much data will have been leak that there will be no new data to leak, right?
Think of it like the water cycle
They should publish the names of the companies which datasets have been involved. NOW.
the name of the company is known. it’s IDMERIT: https://www.idmerit.com/
Yes, but the point is that they seem to have data for or on behalf of a load of different companies, probably in the telco department.
Why the hell would you use an AI tool for giant data sets of sensible data? Someone needs to go to jail and that company shouldn‘t exist any longer.
And it’s all part of ai training data now too.
I used to wonder when I watched “Star Trek TNG” as a kid, how they could ask for and get such detailed biographical information of a long dead person, enough to recreate that person convincingly, in a holodeck. Well, I guess I have my answer.
I really thought I’d be living in something like the federation one day, instead I’m here boning up on the Ferengi Rules of Acquisition.
instead I’m here boning up on the Ferengi Rules of Acquisition.
I mean, Ferengistan is Europe and in wider sense the West in Farsi, so - pretty logical.
(Which is why I don’t subscribe to the theory that Ferengi are an antisemitic trope. They are a subversive futurist trope, “seeing ourselves through the eyes of others the same way we often see them”.)
Everyone likes to see themselves as the heroes of some universe.
It’s also true for some Soviet science fiction, like things by Strugatsky brothers communicate that deep painful wish for “us” to be that society of scientific workers and doctors, and the barbaric and lost people they visit and help to be “them”, but that’s not how the world is. Even the “approved” Ivan Yefremov with his “Bull’s Hour” shows a space colony which is supposedly a remnant of the “capitalist and imperialist” world, yet surprisingly reminisces USSR, while that team of heroes from heaven that comes trying to fix them doesn’t seem like anything from USSR.
I think about this kind of simplistically.
Firstly, answer to yourself is it practically possible to store and use vast amounts of data safely, without risk of being compromised?
If you say no, then we shouldn’t be doing this. If you said yes:
Since you think it is practically possible to do safely, the penalty for any company who fails to do this should be instant corporate death. Automatic nationalization and liquidation to compensate the victims. People who are found in court to be responsible should face severe consequences. Criminal negligence, multiple counts.
That’s the only way I see to get all of these data hoarding fucks to take it seriously.
/end pipe dream
Something something not their fault, suffering from lead deficiency.
Or we could collectivize, organize, arm ourselves, seize control of the means of production, and put leaders, politicians, billionaires and corporate executives on trial for their crimes to determine between re-education or execution.
If we’re going to dream.
The penalty should be equivalent to the amount of people affected. At least $1000 per person fine is bare minimum. So, that’s a fine of 1 trillion payable by the shareholders.
The EU GDPR doesn’t go nearly far enough.
If I order online, my data only needs to be retained until I get my item. A electronic receipt can be sent via email.
Social networks should have human moderation, and not insist on retaining real-world data about users.
These things could be accomplished through regulation, and if enough countries (or US states) put those regulations in place it will eventually be more cost-effective for companies to implement the changes globally.
Tax records are required to be kept for 7 years in North America (generally, as far as I know - def in Canada). So you order something online from a business, they have a business need to keep your data on hand for 7 years in case an auditor / tax person comes asking about it. Be that someone auditing the business, or someone auditing a customer. That’s a requirement from the government.
I’ve seen customers ask for tax stuff going back up to 20 years from a business. In those cases, if there’s demand for data going back that far for whatever reason, the business can internally say “We have a business reason to retain data longer” because people ask for it – there’s demand. So they can justify to auditors/legal sorts retaining that information indefinitely, based on user demands/requests.
In some cases when I’ve seen those ancient requests, it’s also tied to legal disputes from customers – eg. Trying to prove in a divorce that such and such was bought by party A in 2005 for X amount. In some cases, there’re class actions that go outside the 7 year window, and require data from further back to sort out – for example there’s a case in Canada currently where a financial lender is paying back ~$2000 per person that took a loan from them from 2016-2021 (so ~10 years of personal data needs to’ve been kept, to verify early claimants). Part of needing to keep data so long, is that the court cases are often so drawn out that the 7 year window would make some crime/wrong-doing much more difficult to prosecute due to a lack of evidence. I know of one class action lawsuit in the Financial Industry that’s been ongoing since the 90s, and still isn’t fully resolved – most of the potential class action recipients are deceased at this point, and the only people profiting are lawyers, but still. Lawyers are a part of the problem, and a reason why data is often being held longer and longer. Honestly, Lawyers are also terrible at securing their data --they tend to rely on paper-controls to prevent their unsecured data from getting used, rather than actual hardening. Like there was a guy who spent a few years in Colombia or something, his personal laptop being used for all sorts of nefarious stuff, and when he came back to Canada and the border people took his laptop, it was totally unencrypted/unsecured. They guy just argued it was his “legal work” laptop and everything on it is confidential and can’t be used in court.
Idk. I think your approach is overly simplistic for the issue. There’s a lot of “stuff” related to corporate data retention policies and methods, and I don’t really see much nuance in what you’re proposing. Hell, if they only kept your data till you got your item, youd NEVER be allowed to get a refund, cause they’d have no record of you purchasing the item.
The core purpose of KYC - to make it harder to launder money, and for the ultra rich to hide away their ill gotten gains - is not evil, far from it.
The fact the very same people which benefit from a perception that KYC is evil, are the same people making the decisions which directly lead to data breaches, is obviously a complete coincidence!
Bruh, the ultra rich have operated state sanctioned child rape islands for several decades. Do you really think KYC has any impact on their crimes?
If so, I have a bridge you might be interested in acquiring…
those crimes in specific? no.
in how they carried out specific other crimes? yeah, it changed methodology at very least. it sounds like you don’t understand KYC. it was not targeted at sex trafficking.
HSBC enabled fraud in the hundreds of billions, and they didn’t have even remotely equivalent consequences.
How about only accepting measures that impose great risk on the privacy of the working class once corporate and political criminals face the same level of “justice” and consequences as the working class?
I was not equating those crimes
uh yeah you were
KYC does nothing against rich people. Panama Papers came out and nothing happened. Law enforcement does not target rich people.
Yep. KYC is to stop the movement of funds that could be used to undermine the system. A.k.a terrorism.
Terrorism as defined by whom? Because those protesting Israel are soon terrorists. Animal rights defenders. Environmental protesters especially opposing oil pipelines and the like, climate protesters, people protesting the police, etc.
This is going to get really bad, the mask is off, they aren’t pretending to operate government according to the rules, or to be believable. The terrorists they will be targeting are those protesting the plutocracy ass fucking people without their consent.
Exactly. Anything that undermines the billionaire narrative.
Also tax evasion.
Don’t use that example. Look up consequences of Panama Papers. At least say that nothing happened in USA, land of the corrupt, home of the slaves.
I agree that KYC isn’t inherently evil. But the way its been weaponized is.
For instance in the telecommunications space it make total sense for mitigating spam SMS messages and Robocalls. But the carriers all sell your data for profit. They also don’t protect your data properly and are breached all the time. That’s malicious.
So no, I won’t throw the baby out with the bathwater and agree its an oversimplification to simply call KYC evil. But I also don’t blame people when all they see is abuse and never a good and proper implementation that isn’t exploitative.
There’s also an execution problem.
Truly knowing your customer might produce very different outcomes than the current compliance checkbox approach.
“I know Fred just sold his old car. The idea he suddenly has $12k in cash is not suspicious” or “Jane’s been talking about going to Montreal for momths. We should not block her card when it lights up there.”. That’s real KYC, but it requires human connection and human judgement, which doesn’t scale and doesn’t provide the right paperwork for demonstrating compliance with arbitrary mandates.
There’s also an execution problem.
There absolutely is. Way too many of these fuckers are still breathing.
Is this why my phone was suddenly enrolled in half a dozen text notification services at the same time last week? Or was that a different massive-scale data leak? It’s hard to keep track at this point.
Last week, we published our team’s findings about an exposed Elasticsearch cluster that contained over 160 indices and held 8.7 billion primarily Chinese records, ranging from national citizen ID numbers to various business records.
Last December, the team uncovered an unprotected database containing 4.3 billion records, some of which included LinkedIn-derived personal information. The 16TB-strong instance contained emails, photos, employment histories, and other personal data. A single collection alone contained 732 million records, including photographs.
In July, Cybernews covered one of the largest data leaks in history, after researchers discovered several collections of login credentials, containing 16 billion records. The team found 30 exposed datasets, each containing tens of millions to more than 3.5 billion records.
The leaked data included login info for just about every online service, including Apple, Facebook, Google, GitHub, Telegram, and even government platforms.
Damn…
60m records in Germany. That 3/4 of the population. The US has 350m inhabitants. 200m leaked records accounts for more than half!
Gotta love how the blog is nothing but “We’re awesome, data leaks cannot happen with our architecture”. Something about advertising too much is making up for lack of actual skill or something
I’m a software and systems architect. Architecture won’t save you if the implementation is crap. That’s just marketing jive talk.
“At this scale, downstream risks include account takeovers, targeted phishing, credit fraud, SIM swaps, and long-tail privacy harms. Industry-wide, the case underlines how third-party identity vendors have become critical infrastructure and can become single points of catastrophic failure,” our team explained."
Wouldn’t Username + Password + SIM = 2FA password reset?
It would for all the financial industry that refuses to move to a real 2 factor system.
The Cybernews research team discovered an exposed MongoDB database containing nearly 1 terabyte of personally identifiable information (PII) exposing approximately a billion sensitive records across 26 countries.
Welp. I guess, time to change passwords.
holy shit I used this exact method this week at work to extract a paid-for database for free.
