X

Slip-up exposes database to prying eyes

A developer's mistake leaves a database with millions of names, Social Security numbers and other personal details open to public access over the Internet.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
See full bio
Robert Lemos
2 min read
A developer mistake left a sensitive database with detailed personal information, including Social Security numbers, open to public Internet access for a few hours on Tuesday.

The database--frequently used by law enforcement, credit agencies and private investigators--was accessible through a simple search form on the Web and contained millions of names, social security numbers, phone records and public records such as residential histories, confirmed LocatePlus.com, which provides the database service.

"It was a pretty small breach of information," said Jon Latorella, CEO of the investigative services company. "It was only our bottom tier of information, or one up from the bottom."

LocatePlus shut down public access to the database around 10 a.m. PST. Latorella said that perhaps several hundred queries were made of the database and that 95 percent of those were apparently from security researchers who detected the breach.

While the company was working on an application to make the database information available on wireless devices, a developer opened up access for a limited range of Internet addresses to test the mobile service, Latorella said. The change resulted in the database being opened up to public access.

LocatePlus, based in Beverly, Mass., is investigating the incident, Latorella said. He stressed that the security surrounding the company's database service hadn't been breached. Moreover, the database routinely logs the Internet addresses of users, and so the company will know who had accessed the data.

Public access to the database underscores the danger inherent in placing such information on the Internet: Even the smallest slip-up can lead to a data leak.

"It is a little disturbing, to say the least," said Alfred Huger, senior director of engineering for security software firm Symantec. "Uncontrolled access like this, to this level of information, makes identity theft trivial."

Security analysts at Symantec discovered the glitch when someone posted the address of the database to an Internet relay chat. Symantec notified the FBI, and soon after, LocatePlus was notified of the incident.

"We would have caught it in a day or so, but the response was very helpful," Latorella said.