- iPhone overloaded? Here’s how to cancel app subscriptions Monday 11:02 PM
- Fan-created ‘app’ lets users experience the final moments of the ill-fated Jeremy Renner app Monday 10:00 PM
- Milo Yiannopoulos receives lifetime ban from furry convention Monday 7:49 PM
- Snapchat just made all political ads purchased publicly available Monday 6:12 PM
- How to stream Barcelona vs. Borussia Dortmund in Champions League action Monday 5:39 PM
- How to stream Liverpool vs. Napoli in Champions League action Monday 5:19 PM
- How to make real money with Amazon’s Mechanical Turk Monday 5:03 PM
- How to stream Chelsea vs. Valencia in the Champions League group stage Monday 4:47 PM
- ‘SNL’ fires Shane Gillis for racist, homophobic comments Monday 4:41 PM
- Ben Shapiro wants accusers to describe Brett Kavanaugh’s penis Monday 4:30 PM
- Twitch suspends streamer for wearing Chun-Li cosplay Monday 4:11 PM
- Report: 8 years of Trump tax returns subpoenaed by prosecutors Monday 3:45 PM
- Netflix lands exclusive streaming rights to ‘Seinfeld’ Monday 3:34 PM
- Jenny Slate sets first comedy special at Netflix Monday 3:05 PM
- #EndSmearFear is aiming to save lives Monday 2:54 PM
Nearly 25,000 union members were exposed last month in a massive data breach in Northern California.
Members of Sheet Metal Workers Local Union No. 104 were left vulnerable to identity theft or worse by a misconfigured database, which was discovered online by Chris Vickery, an oft-cited cybersecurity expert and lead security researcher at MacKeeper.
The database, discoverable by search engine, was not protected by a password, and contained an extraordinary amount of personal information belonging to the union members: addresses, phone numbers, social security numbers, dates of birth, ethnicity, gender, marital status, family members and beneficiaries (plus their contact information), employment dates—up to 108 individual details per member—among other personal files detailing litigation and contracts, essentially any legal work performed by the union on behalf of its members.
Vickery, who earlier this year reported a data breach affecting 191 million U.S. voters, did what he always does when he finds protected personal information online: He contacted the owner to warn them. On Oct. 10, he left a voicemail with Local Union No. 104. “The database and other files were secured sometime shortly,” he said. He remains concerned, however, about the union members whose information was put at risk.
“I haven’t heard anything in response from the Sheet Metal Workers Local 104,” he said. “They have my name and phone number. They know that my message was accurate.”
It’s a scenario that seems to repeat itself, as Vickery routinely discovers leaky databases online, publicly accessible and unprotected. More often than not, the organizations whose records are improperly stored work to avoid disclosing security breaches, even to the employees, volunteers, and customers most likely to be impacted.
Last month, after he reported finding the personal information of roughly 5,000 Habitat for Humanity applicants and volunteers in Michigan, the organization and those responsible for maintaining its servers had little to say. A tech company, which likely hosted the data, pointed the finger at Vickery instead, suggesting the researcher who discovered the problem may have been responsible for causing it.
That also happens a lot, he says.
“Shouldn’t they have some questions for me?” Vickery wonders. The workers union files contained a slew of passwords as well; they were scrambled, but wouldn’t be impossible to crack. And there’s no way for Vickery to know whether or not others accessed the data. “Perhaps so that when they (hopefully) let their members know of the security failure, the union can at least be fully informed of every relevant detail,” Vickery said. “That seems like the reasonable thing to do.”
An attorney for the Local Union No. 104 said it was currently investigating the breach. Asked if they were planning to notify members their personal information was exposed, they declined to comment.
Update 5:46am CT, Nov. 17: Added comment from union attorney.
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.