Channel 2 Investigates

Is your personal info at risk? Experts say online data exposure is an epidemic

You've heard of hackers and criminals stealing information online, but security researchers told Channel 2 Action News that cyber criminals may not have to steal anything to access your personal, financial or even medical records.

“It's kind of an epidemic of sorts,” said Mac Keeper security researcher Chris Vickery.

Vickery said it is so easy to find sensitive information online he makes a living doing it.

“I look for things that are publicly exposed. No user name, no password, nothing guarding it,” Vickery said in his home office in Santa Rosa, California. “I find them all the time, all day long, some much bigger than others.”

Vickery said he has found banking information, Social Security numbers, even unprotected government documents that he said could be a national security risk.

He said you don’t have to be a computer whiz to locate sensitive information online, you just need to know where to look.

Channel 2 found media reports of data exposure are published, almost weekly, blaming poor security protocols for critical personal information being made available online.

“This is a daily occurrence,” said Core security researcher Willis McDonald.

He said it's not always the company or website who receives your data that accidentally releases personal information.

Billing companies or marketing firms collecting data can make security mistakes.

“After you've given it out, it's in the hands of somebody else, and they can do whatever they want with it really,” McDonald said.

One recently reported breach exposed nearly 1.4 billion names, emails, phone numbers and home addresses. Vickery said he discovered the information, password free, from the company River City Media.

RECENT INVESTIGATIONS:

“There turned out to be backup files of a whole operation that I contend is illegitimate,” Vickery said.

According to spam watchdog, The Spam Haus Project, the River City group is a known spam organization. Vickery supplied Channel 2‘s Sophia Choi with a sample of the exposed information.

Choi knocked on doors of metro Atlanta residences whose information was in the exposure.

When residents were asked what they thought about their information being exposed some were indifferent, some said their information in the River City database was wrong and others thought whoever was responsible for the data being exposed should be punished.

River City Media declined an on camera interview, but told Channel 2 Action News in a statement that the company “firmly stands behind the fact that the once reputable marketing company was the victim of a malicious and targeted hack job executed by numerous third parties,” and they did not leave backup files exposed.

They have also filed a lawsuit refuting Vickery’s claims. You can find their full statement at the bottom of the page.

While personal information in the River City breach may be benign or just plain wrong, Vickery said he often finds crucial documentation that he said would impact those effected financially if it were discovered by bad actors.

“The point of people taking this data is so they can monetize it,” said Special Agent in Charge of the Atlanta Secret Service Field Office Ken Cronin. “They're going to take whatever they can turn it into the dark web and sell that information.”

Cronin said 48 states each have their own laws dealing with data breaches, but criminals misusing that information are often in other countries.

“The criminals are only restricted by their imagination,” he said.

Cronin said the U.S. Secret Service often works with international partners to prosecute cyber criminals.

Although some federal laws address how businesses should store data in specific industries, like the medical field, many breaches are not reported or take months to be discovered.

“As a consumer, for the most part, you are helpless right now,” McDonald said. “After you've let your information out its fair game for anyone down the line who makes a mistake.”

Here is the full statement from River City Media to WSB-TV:

"Given the current status of legal proceedings, River City Media politely declines any requests for interviews by press or media representatives.  As stated in our initial press release, River City Media firmly stands behind the fact that the once reputable marketing company was the victim of a malicious and targeted hack job executed by numerous third parties.  River City Media, it's owners, executives and employees are deeply saddened and disturbed by the series of catastrophic events that have taken place post publication of numerous false and slanderous articles about the company.  River City Media was not a "criminal enterprise" or "spam cartel" as falsely labeled, and has not been contacted by any government officials or entities regarding its business practices."

"Despite the claims of fictitious articles, River City Media did not leave an rsync backup exposed leading to the "leak" of billions of email records.  Additional company property that was unjustifiably accessed such as Hipchat logs, Google Docs and Skype records were never stored within rsync or any other backups...or on servers in which River City possessed.  The company has no involvement in the recent FCC issues, as inaccurately reported by the press.  River City Media will continue to instill its trust in the judicial system and God to determine the proper outcome of these devastating events."

0