- ‘The Liar, the Snitch, and the War Crimes’: Twitter roasts news of Trump Jr. book deal Today 12:36 PM
- Polar Peak in Fortnite is cracking, and players think a dragon may be beneath the ice Today 12:07 PM
- ‘Rise of Skywalker’ first look reveals mysterious new characters Today 12:00 PM
- Meet the anti-choice, pro-NRA Trump supporter challenging Rep. Justin Amash Today 11:51 AM
- Moby attempts to prove he dated Natalie Portman with a shirtless photo Today 11:39 AM
- After feuding with James Charles, Tati Westbrook angers the YouTube community Today 11:06 AM
- Does Keri Russell’s ‘Rise of Skywalker’ character have an offensive name in Spanish? Today 10:59 AM
- It’s not clear if Ralph Northam is in racist yearbook photo, investigators say Today 10:48 AM
- The atonement of an alt-right troll Today 9:25 AM
- #StopTheBans protests draw thousands across the country in support of abortion rights Today 9:24 AM
- North Korea is using Trump’s low IQ attack on Joe Biden Today 9:14 AM
- How to watch ‘Kidding’ for free Today 8:00 AM
- What’s the deal with Bran Stark at the end of ‘Game of Thrones’? Today 6:30 AM
- How to watch TruTV online for free Today 6:00 AM
- Fans call out Madonna for edited Eurovision video Tuesday 9:36 PM
25,000 California union members’ personal data exposed by unsecured database
The leak of information was discovered by an Austin-based security researcher at MacKeeper.
Nearly 25,000 union members were exposed last month in a massive data breach in Northern California.
Members of Sheet Metal Workers Local Union No. 104 were left vulnerable to identity theft or worse by a misconfigured database, which was discovered online by Chris Vickery, an oft-cited cybersecurity expert and lead security researcher at MacKeeper.
The database, discoverable by search engine, was not protected by a password, and contained an extraordinary amount of personal information belonging to the union members: addresses, phone numbers, social security numbers, dates of birth, ethnicity, gender, marital status, family members and beneficiaries (plus their contact information), employment dates—up to 108 individual details per member—among other personal files detailing litigation and contracts, essentially any legal work performed by the union on behalf of its members.
Vickery, who earlier this year reported a data breach affecting 191 million U.S. voters, did what he always does when he finds protected personal information online: He contacted the owner to warn them. On Oct. 10, he left a voicemail with Local Union No. 104. “The database and other files were secured sometime shortly,” he said. He remains concerned, however, about the union members whose information was put at risk.
“I haven’t heard anything in response from the Sheet Metal Workers Local 104,” he said. “They have my name and phone number. They know that my message was accurate.”
It’s a scenario that seems to repeat itself, as Vickery routinely discovers leaky databases online, publicly accessible and unprotected. More often than not, the organizations whose records are improperly stored work to avoid disclosing security breaches, even to the employees, volunteers, and customers most likely to be impacted.
Last month, after he reported finding the personal information of roughly 5,000 Habitat for Humanity applicants and volunteers in Michigan, the organization and those responsible for maintaining its servers had little to say. A tech company, which likely hosted the data, pointed the finger at Vickery instead, suggesting the researcher who discovered the problem may have been responsible for causing it.
That also happens a lot, he says.
“Shouldn’t they have some questions for me?” Vickery wonders. The workers union files contained a slew of passwords as well; they were scrambled, but wouldn’t be impossible to crack. And there’s no way for Vickery to know whether or not others accessed the data. “Perhaps so that when they (hopefully) let their members know of the security failure, the union can at least be fully informed of every relevant detail,” Vickery said. “That seems like the reasonable thing to do.”
An attorney for the Local Union No. 104 said it was currently investigating the breach. Asked if they were planning to notify members their personal information was exposed, they declined to comment.
Update 5:46am CT, Nov. 17: Added comment from union attorney.
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.