Hot on the heels of the National Public Records data breach, which leaked over 2 billion records, another background check firm has now suffered a leak. The company in question, MC2 Data, exposed the sensitive data of around one-third of the U.S. population—106 million people—to the entire internet. While data leaks are sometimes unavoidable, in this case, MC2 Data is fully responsible, as it left a database containing 2.2TB of personal data passwordless.
GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE
MC2 Data’s negligence led to the data leak
Cybernews broke the story of this security incident, noting that on August 7th, its research team discovered that MC2 Data had left a database containing 2.2TB of personal data unprotected and easily accessible to anyone on the internet.
The database contained 106,316,633 records with private information about U.S. citizens, and Cybernews estimates that at least 100 million individuals were affected by this massive data leak.
The leaked data included names, emails, IP addresses, user agents, encrypted passwords, partial payment information, home addresses, dates of birth, phone numbers, property records, legal records, family, relatives, and neighbors’ data, as well as employment history. MC2 Data even exposed data of 2,319,873 users who subscribed to its services, including individuals and organizations needing background checks.
Cybernews
THE HIDDEN COSTS OF FREE APPS: YOUR PERSONAL INFORMATION
What was the company doing with all that data, anyway?
As I mentioned, MC2 Data is a background check firm. It was probably using the data to provide background check services, gathering information on people for clients like employers, landlords, or organizations needing to verify things like identities or employment history.
While data collection like this is pretty standard in the background check industry, companies are required to follow strict rules. They have to comply with federal, state, and local regulations to make sure their operations are legal and that people’s data stays protected.
“Background-checking services have always been problematic, as cybercriminals would often be able to purchase their services to gather data on their victims,” said Aras Nazarovas, a Cybernews security researcher.
FROM TIKTOK TO TROUBLE: HOW YOUR ONLINE DATA CAN BE WEAPONIZED AGAINST YOU
The data leak is a goldmine for cybercriminals
The world’s most valuable resource is no longer oil but data. Everyone, from big tech companies to cybercriminals to small-time marketers, is willing to pay a premium for access to this vast amount of information. The biggest concern, however, lies with cybercriminals who can use this data for identity theft and other malicious attacks.
The leaked information of subscribers is particularly concerning, as these individuals could be high-value targets for cybercriminals. The subscribers may include employers, landlords, law enforcement, and similar entities.
MC2 Data is yet to issue a statement confirming the breach. We reached out to MC2 Data for a comment but did not hear back before our deadline.
It’s time to invest in identity theft protection
Cybercriminals who have access to this data may attempt identity theft, but with an identity theft protection service, you’ll be notified if and when you are affected. While there are many services that you can sign up for, my top recommendation is Identity Guard.
It can monitor personal information like your Social Security Number (SSN), phone number, and email address and alert you if it is being sold on the dark web or being used to open an account. It can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.
One of the best parts of using Identity Guard is that they might include identity theft insurance of up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a US-based case manager helps you recover any losses.
CyberGuy’s Exclusive Offer (save up to 52%): Get the Identity Guard Ultra protection to protect your identity and credit for as little as $9.99/mo (lowest offered anywhere) for the first year.
WORLD’S LARGEST STOLEN PASSWORD DATABASE UPLOADED TO CRIMINAL FORUM
4 ways to protect yourself from data breaches
In addition to opting for an identity theft protection service, you can follow these tips to protect yourself from data breaches.
1) Remove your personal information from the internet: While no service can guarantee the complete removal of your data from the Internet, a data removal service is really a smart choice. They aren’t cheap – and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with the information they might find on the dark web, making it harder for them to target you.
My top recommendation is Incogni, which has a very clean interface and will scan 195 websites for your information and remove it and keep it removed.
Special for CyberGuy Readers (60% off): Incogni offers A 30-day money-back guarantee and then charges a special CyberGuy discount only through the links in this article of $5.99/month for one person (billed annually) or $13.19/month for your family (up to 4 people) on their annual plan and get a fully automated data removal service, including recurring removal from 190+ data brokers. You can add up to 3 emails, 3 home addresses, and 3 phone numbers (U.S. citizens only) and have them removed from data-broker databases. I recommend the family plan because it works out to only $4.12 per person per month for year-round coverage. It’s an excellent service, and I highly recommend at least trying it out to see what it’s all about.
Get Incogni for your family (up to 4 people) here
2) Be wary of mailbox communications: Bad actors may also try to scam you through snail mail. The data leak gives them access to your address. They may impersonate people or brands you know and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
3) Be cautious of phishing attempts: Be vigilant about emails, phone calls, or messages from unknown sources asking for personal information. Avoid clicking on suspicious links or providing sensitive details unless you can verify the legitimacy of the request. The best way to protect yourself from clicking malicious links that install malware is to have strong antivirus protection installed on all your devices.
My top pick is TotalAV, and you can get a limited-time deal for CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.
4) Monitor your accounts: Breaches of this magnitude will make it a necessity for you to start routinely reviewing your bank accounts, credit card statements, and other financial accounts for any unauthorized activity. If you notice any suspicious transactions, report them immediately to your bank or credit card company.
Kurt’s key takeaway
When your business model relies on collecting people’s data and providing services based on that information, you must do everything possible to protect it. This is not only a moral responsibility but also a legal requirement. MC2 Data has failed to meet this obligation, and its negligence now puts millions of Americans at risk—many of whom were unaware that their data was being collected by the firm. Companies should face strict legal actions and hefty penalties for such incidents, rather than just receiving a slap on the wrist.
What do you think should be the consequences for companies that fail to protect consumer data? Let us know in the comments below.
FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2024 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.
15 comments
I don’t think any company should keep info on anyone. The information should be destroyed or erased from thier computers after it’s use. NO ONE should be able to sell MY info, it’s mine. It seems these companies are so far behind on security they should all pay us for thier negligence. I no longer give my correct SS to Dr offices or anyone outside of government. I NEVER give my correct date of birth. What happened to the law that said SS could not be used for identification? Rediculous.
Companies such as this that leave databases open for all to see should be driven out of business.
Is there a lawsuit
At the very least be held liable!
Without question, they should have to pay back for whatever fraud took place because of their negligence
Companies that fail to protect your personal data due to their negligence, must be held accountable, to include but not limited to hefty fines, legal action and offer free credit monitoring services to those affected.
The company should be held legally accountable and loose the business and fined. They should have to offer free credit monitoring services to everyone affected immediately. A nationwide fund should be set up to deal with fallout to the clients.
These entities should instantly have a qualified oversight party appointed to dissolve them. All assets should be placed in trust for future claims (drawing interest for the account before the disbursement of funds). All parties, individually and severally, personal, corporate, partnership, LLC’s, et al, should be held civilly and criminally liable to the fullest extent of the law. All licenses, personally and corporate, should be permanently revoked. Responsible parties should be permanently barred from same, similar, or related positions for life. And, did I say burned at the stake?
They should be forced to pay each person whose data was leaked some amount( like $50). That amount would be enough (in this cae over $5 Billion) to cause them to take proper security steps. Even $5 ($500 million) would force then to take action.
Here in Norway such spam by clicking on links in mail or sms is a problem that happens to a lot of us. So I spend a lot of money for security. So far I’m not infected, but my goodness, I have to be very concerned in cyberspace.
People need to start suing these places that have their data and not securing it.
These data breaches have already cost me money starting with the National Data breach where my SSN was leaked. Now another Data leak! I’ve had to lock & freeze my credit with all credit bureaus, sign up for having my personal info removed from the nationwide databases and I still don’t know if I’m safe. These breaches in Data should have to pay deeply for their ignorance for years to come!
This company and its affiliates should be dissolved, after offering protecting coverage to those affected and pay out of pocket for the damage done to the people. I can’t agree more that the data that was collected for whatever reason or for whoever should’ve been destroyed when it was no longer needed. I too have gone through the process of locking and freezing accounts, alerts, removals and trying to protect myself against these a$$holes.
Companies that are negligent should be terminated. Assets sold and websites shut down. Executives barred from re starting a similar company or sitting on a board.
The top executives in this company should be, tried and if convicted, sentenced to prison for life without parole!