Massive data breach exposes nearly 645,000 sensitive records linked to SL Data Services

A database connected to SL Data Services, a U.S.-based data broker, has been discovered to have exposed 644,869 sensitive records online, sparking significant concerns about privacy and security. The unprotected database contained personally identifiable information (PII), property ownership details, vehicle records, court records, and background check documents, none of which were encrypted or password-protected.

The exposure was discovered by security researcher Jeremiah Fowler, who reported his findings to WebsitePlanet, a cybersecurity review and research site. Fowler analyzed a sample of the 713.1 GB database and found that 95% of the documents were labeled as "background checks." These records included a vast array of sensitive data, such as full names, home addresses, phone numbers, email addresses, employment information, family details, social media profiles, and criminal histories. Fowler verified that some of the individuals named in the records were indeed associated with the listed addresses.

In his report, Fowler highlighted the grave implications of the breach, stating, “This information provides a full profile of these individuals and raises potentially concerning privacy considerations.”

The database appeared to function as a repository for property reports ordered through SL Data Services. Customers could seemingly access these reports via a web portal, but a critical flaw in the system meant that knowing a file path could grant unauthorized access to stored documents. Fowler noted that the company used a single database for multiple domains, with no segmentation other than folder names based on website identifiers.

Fowler reported the exposure to SL Data Services, but access to the database remained unrestricted for over a week after his initial notification. Attempts to escalate the issue beyond the company’s call center agents were met with assurances that a breach was “impossible” due to the company’s use of SSL encryption with 128-bit protection. During the delay, the number of exposed records grew by over 150,000, raising concerns about the duration of the exposure and the potential for unauthorized access.