- Twitter lifts ‘permanent’ suspension of activist Barrett Brown Monday 5:52 PM
- Billie Eilish fans fend off objectifying comments on tank top photo Monday 5:32 PM
- Groom’s mother sabotages wedding by tricking guests into wearing jorts and hoodies Monday 4:39 PM
- No one believes Bill de Blasio’s son sent him these debate prep texts Monday 3:26 PM
- Meek Mill, Jay-Z to release ‘Free Meek’ documentary on Amazon Prime Monday 3:20 PM
- 3 ways to secure your Nest cameras Monday 3:15 PM
- This Pokémon generator site is creating hilarious monsters Monday 2:48 PM
- MrBeast impersonator tricks kid into destroying his XBox Monday 12:50 PM
- This mom has the perfect nickname for her nonbinary kid Monday 12:25 PM
- Netflix tests pop-out player that will allow viewers to multitask Monday 11:44 AM
- Man allowed to sue media publishers over readers’ Facebook comments Monday 11:42 AM
- Republicans slammed for joke about ‘heavily armed militia’ at Oregon statehouse Monday 11:30 AM
- New bill wants tech companies to tell you how much your data is worth Monday 10:53 AM
- AOC has the best response to Steve King’s ‘concentration camp’ criticism Monday 10:19 AM
- Did Jake Paul and Tana Mongeau just get engaged? Monday 9:26 AM
25,000 California union members’ personal data exposed by unsecured database
The leak of information was discovered by an Austin-based security researcher at MacKeeper.
Nearly 25,000 union members were exposed last month in a massive data breach in Northern California.
Members of Sheet Metal Workers Local Union No. 104 were left vulnerable to identity theft or worse by a misconfigured database, which was discovered online by Chris Vickery, an oft-cited cybersecurity expert and lead security researcher at MacKeeper.
The database, discoverable by search engine, was not protected by a password, and contained an extraordinary amount of personal information belonging to the union members: addresses, phone numbers, social security numbers, dates of birth, ethnicity, gender, marital status, family members and beneficiaries (plus their contact information), employment dates—up to 108 individual details per member—among other personal files detailing litigation and contracts, essentially any legal work performed by the union on behalf of its members.
Vickery, who earlier this year reported a data breach affecting 191 million U.S. voters, did what he always does when he finds protected personal information online: He contacted the owner to warn them. On Oct. 10, he left a voicemail with Local Union No. 104. “The database and other files were secured sometime shortly,” he said. He remains concerned, however, about the union members whose information was put at risk.
“I haven’t heard anything in response from the Sheet Metal Workers Local 104,” he said. “They have my name and phone number. They know that my message was accurate.”
It’s a scenario that seems to repeat itself, as Vickery routinely discovers leaky databases online, publicly accessible and unprotected. More often than not, the organizations whose records are improperly stored work to avoid disclosing security breaches, even to the employees, volunteers, and customers most likely to be impacted.
Last month, after he reported finding the personal information of roughly 5,000 Habitat for Humanity applicants and volunteers in Michigan, the organization and those responsible for maintaining its servers had little to say. A tech company, which likely hosted the data, pointed the finger at Vickery instead, suggesting the researcher who discovered the problem may have been responsible for causing it.
That also happens a lot, he says.
“Shouldn’t they have some questions for me?” Vickery wonders. The workers union files contained a slew of passwords as well; they were scrambled, but wouldn’t be impossible to crack. And there’s no way for Vickery to know whether or not others accessed the data. “Perhaps so that when they (hopefully) let their members know of the security failure, the union can at least be fully informed of every relevant detail,” Vickery said. “That seems like the reasonable thing to do.”
An attorney for the Local Union No. 104 said it was currently investigating the breach. Asked if they were planning to notify members their personal information was exposed, they declined to comment.
Update 5:46am CT, Nov. 17: Added comment from union attorney.
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.