Cyber researchers discovered more than one billion unprotected IDMerit customer records online. The records included details of people from all over the world, with hundreds of millions of records belonging to US residents. The exposed data included full names, DOBs, home addresses and ID numbers. In addition, other sensitive information often found on government ID cards.
Cybernews security researchers confirmed that the unsecured data file contains approximately 1TB of databases. Including more than 100 million records from Mexico. And tens of millions of records from people residing in countries such as Brazil, Italy, Germany, and Spain. IDMerit has rejected the claims, stating that it does not believe the data was exposed. However, Cybernews researchers feel confident that anyone could have downloaded the exposed files.
Key takeaways
- Massive unsecured database exposed – 1+ billion sensitive personal records belonging to IDMerit users.
- The global identity verification company denies direct responsibility.
- The incident is a real (though unintentional) exposure, not fake news or a hack.
- The data exposure presents a high risk for users. And serves as yet another warning about the often-inadequate third-party vendor security.
Who are IDMerit and why do they have the records of so many people?
IDMerit is a global identity verification company operating in more than 180 countries and helping organizations reduce fraud by verifying the identities of their users. In many cases, users are asked to share a real copy of a government-issued ID or provide biometric information to pass IDMerit verification. Many high-profile companies, including well-known names in the fintech, banking, and crypto sectors, use the service to perform Know Your Customer (KYC) checks.
Why is the IDMerit data breach not ‘fake news’?
The initial claims for the exposed data appeared a few weeks ago. Still, multiple media outlets dismissed the news about IDMerit’s customer exposure, labelling it as ‘fake news’ or ‘Russian hackers‘ extorting KYC companies who refuse to pay ransom. Based on its internal review, IDMerit confirmed that cybercriminals did not compromise any customers.
However, it is important to note that the data was left unattended and accessible to people (and AI bots). The fact that IDMerit lacks knowledge or evidence of the incident does not mean the incident never happened. IDMerit admitted that a person was demanding a ransom after refusing to share an incident report with the KYC company. That person was a Cybernews contributor who then shared a sample of his findings with Cybernews, which independently verified the claims’ legitimacy.
Which companies use IDMerit’s services?
The list is long! This is also a logical explanation for why the exposed data included records for 200+ million people in the USA. Many big tech companies choose IDMerit as their go-to identity verification service provider. Some of the top names include Uber, Lyft, and Airbnb. Experts consider companies like IDMerit critical infrastructure. And their inability to secure sensitive information could have devastating consequences for their users.
Why would cybercriminals be interested in obtaining the exposed database?
The Cybernews team has confirmed that bad actors could use the data points in the leaked file for targeted phishing campaigns or account takeover attempts, or help fraudsters commit identity theft through credit fraud and SIM swaps. The researchers have highlighted the fact that such leaks could haunt people for years.
While IDMerit’s statement is likely true, no one directly compromised their systems, and the breach appears real with real-world consequences. The cyber incident highlights the importance of third-party vendors, which can sometimes lack the security skills and resources to protect the sensitive information they receive from their Big Tech clients.
This is certainly not the first time an unintentional data exposure has been blamed on third-party vendors. People wanting an extra layer of protection against fraudsters are strongly advised to take basic steps such as locking their credit reports and installing antivirus software on all their connected devices.