Data broker exposes 600K background checks and other sensitive files


SL Data Services/Propertyrec, an information research provider that operates at least 16 different websites and offers real estate ownership data and criminal records search information, left 713GB of sensitive data accessible without a password and unencrypted.

The publicly exposed database contained 644,869 PDF files, including court records, vehicle records (license plate and VIN), and property ownership reports. It was discovered by cybersecurity researcher Jeremiah Fowler, who reported the findings to Website Planet.

“Around 95% of the limited sample of documents I saw were labeled as ‘background checks’,” Fowler said.

ADVERTISEMENT

The exposed documents included full names, home addresses, phone numbers, email addresses, employment, family members, social media accounts, and criminal record history, providing a full profile of the affected individuals.

According to the researcher, the exposed database belongs to SL Data Services, LLC. However, the folders inside were named with 16 separate website domains, one of them being Propertyrec – it advertises property and real estate research data.

The researcher responsibly disclosed the data security incident and the access was closed. However, Fowler did not receive a response from the company. In one week since the initial discovery until the public access was restricted, the database grew from 513,876 to 664,934 records.

The company allegedly offered background checks and other data for customers for as low as $1 per search, but users often unknowingly enrolled in recurring subscriptions instead of a one-time payment.

Ernestas Naprys Niamh Ancell BW Gintaras Radauskas jurgita
Get our latest stories today on Google News

“These background checks are likely conducted without the knowledge or consent of the individual under review. In the United States, court records and sex offender status are generally considered public records,” Fowler said.

The researcher warns of potential identity theft, phishing, and impersonation risks. If malicious actors accessed the data, they could potentially piece together full profiles of individuals, their associates, employers, or family members.

This discovery marks the second large data broker-led data exposure since August 2024, when National Public Data experienced a breach that compromised billions of records and exposed millions of people. After the incident, the company filed for bankruptcy.

ADVERTISEMENT