Discussion
1 billion identity records exposed in ID verification data leak
egorfine: KYC = Kill Your Customer.
cataflam: Almost a month old: https://cybernews.com/security/global-data-leak-exposes-bill...and I've never seen any confirmation elsewhereLooks like CyberNews have edited the article with more info since first I saw it, it used to look quite suspicious and untrustworthy, it now has more info. Still doesn't say exactly what a record is, or how many uniques there are.
mbix77: What did measures like gdpr ever achieve except for making me click a cookie prompt away.
Rygian: Actual punitive measures taken against entities who e.g. manipulate personal data in a negligent way. [1]Which was much harder to achieve before.[1] https://www.enforcementtracker.com/
loloquwowndueo: Right to be forgotten - you can ask companies to delete data they hold on you.Data ownership/portability : you can ask companies for a copy of all data they hold on you or related to you.I’ve seen the latter used by job applicants to get an entire copy of their interviews, transcripts and assessments including the reason for not being hired.
etothepii: In the UK open banking was essentially a response to GDPR this has allowed (to a limited extent) a variety of tools to be built on top of bank accounts that others would not have been.
whatsupdog: Where the F does IDMerit even get all this data from? They have names, DOBs, addressed, phone numbers, national identity numbers for over a billion people? How?
pjc50: That was actually the two Payment Services Directives: https://blog.finexer.com/guide-to-psd2-regulation-for-open-b...
shakna: [delayed]
pjc50: GDPR doesn't apply in the states, but hopefully it provides for some punishment for the poor security here for EU customers. Of course, then some Americans will get mad that a US company has to follow EU law.
ralferoo: The GDPR applies worldwide to any data held about EU or UK citizens, regardless of where they reside. It does apply in the US, it's just potentially harder for the EU to enforce meaningful penalties for infractions.
neya: If I was in Vegas, I would bet my life savings that the CXOs of the said ID Verification company's data isn't included in the leak. This is just like that Mc Donald's CEO's video - they never use what they create.
bilekas: > That review identified no exposure, vulnerability or unauthorized access within the IDMERIT environmentThe fact that they didn't vet their data providers then has to be considered a form of negligence. In the end, its the company I am handing over my details to to act responsibly, not their providers.I hate this responsibility delegating when its not a good luck, and this will continue to get worse now as the entire internet will be ID gated soon. But don't worry, all the lapse in privacy and even security in the name of 'saving the kids'.
esperent: [delayed]
tootie: It's a weird article. Foe one, the researcher says "they believe" the data belongs to IDMerit but apparently aren't sure. IDMerit denies it's the owner of the data nor is it any of their partners. And there's very few details about where or how they found this database. It's possibly some kind of hoax or ransom attempt? Or there's really just billions of unaccounted databases of private data just sitting all over the Internet.
bilekas: > Of course, then some Americans will get mad that a US company has to follow EU law.This is always the way of the world though, if you want to do business anywhere, you are of course obligated to follow the local laws and regulations. I don't see anyone disputing this outside of blatant patent infringement by certain countries.
