PII Data Breach: 5 Case Studies on Data Security Lapses

One of the most crucial aspects of identity security evolution is accurate identity verification.  This is an essential step in the fight against the misuse of credentials that gives unauthorized access to company data, applications, and systems,

Identity theft poses a threat to both the public and private sectors worldwide. The reasons for identity data breaches are negligence in data protection practices, unauthorized access by insiders, illegal data harvesting websites, inadequate encryption systems, vulnerability exploitation, and third-party services. Data breaches can present different dangers to clients, for example, phishing, privacy issues, identity theft, and fraud.

The 2023 annual report from the Identity Theft Resource Center (ITRC) revealed 3,205 data breaches, a 78% increase from the previous year. It highlights the growing threat of identity-related crime. These breaches allowed hackers to access the personal information of millions of users without permission.

Here are some notable data breach incidents that occurred in 2023:

• The US saw the most breached accounts of any country in 2023. Regionally, Europe saw 39 percent of all leaked accounts worldwide, with 116.6 million accounts affected.
• Over 30 percent of businesses reported growth in breaches in 2023, with synthetic fraud impacting the e-commerce and gaming industries.
• The biggest breach of 2023 targeted LinkedIn user data and affected more than 11 million accounts worldwide
• Many cases of identity fraud have also occurred in government offices around the world. Australia’s myGov platform is the victim of a $2 billion scam, while Bangladesh experienced a national ID card number data leak.

Recent Cases of Data Breach in 2024

1. Au10tix Data Breach:

A major identity verification company, AU10TIX, left login credentials exposed online for more than a year, allowing access to user data. Israel-based IDV vendor verifies the identities of some major tech and social media platforms including  TikTok, Uber, and X.

According to 404 media, Mossab Hussein, chief security officer at spiderSilk, found the exposed credentials. The compromised credentials allowed access to a logging platform containing links to personal data, including names, birthdates, nationalities, identification numbers, and images of identity documents belonging to users of these services. According to the report, the Infostealer malware compromised these credentials in December 2022 and posted on Telegram in March 2023. The leaked information includes company credentials for services such as Office365 and Salesforce.

This breach highlights a growing concern as more social networks move towards identity or age verification models, requiring users to upload identity documents. This incident highlights the importance of strong security measures and the potential risks associated with third-party service providers. In light of this breach, experts suggest exploring more secure identity verification methods, such as tokenization and zero-knowledge proof.

2. National Identity Management Commission of Nigeria (NIMC) Data Breach

Paradigm Initiative discovered that many unauthorized websites sell access to Nigerian citizens’ personal and financial information for as little as 100 naira of over 50 million Nigerians.

On March 16, 2024, Fij.ng reported on XpressVerify.com.ng, a website that illegally accessed and sold data including National Identity Numbers (NIN), Bank Verification Numbers (BVN), and driver’s licenses. Despite its shutdown, another site, AnyVerify.com.ng, continued to operate, recording over 567,990 visits in February 2024 and 188,360 times in April 2024. Even though the website was quickly taken down, Paradigm Initiative is currently seeking legal redress on behalf of Nigerian citizens.

NIMC press statement in June stated these websites  “idfinder.com.ng, Verify.Ng/sign in, championtech.com.ng, trustyonline.com, and anyverify.com” as unauthorized data harvesters. It urged Nigerians to avoid sharing personal data with these sites to prevent fraud and data exploitation.

This breach raises serious concerns considering the use of data harvester websites to collect identity verification and other credential data.

This breach raises serious concerns about privacy rights and the potential for identity theft and financial fraud.

3. El Salvador Data Breach

Resecurity identified a data breach has exposed the personally identifiable information (PII) of over five million citizens of El Salvador, affecting more than 80% of the country’s population.

The breach, carried out by a threat actor named ‘CiberinteligenciaSV,’ includes a 144 GB data dump posted on Breach Forums. The data contains people’s full name, date of birth, telephone number, and email and physical addresses, in addition to the national ID information (DUI) and selfie photos.

The source of the breach remains unclear, with possible connections to the Guacamaya hacktivist group being suggested but not confirmed. The breach may be linked to data from Chivo Wallet, El Salvador’s official Bitcoin and Dollar wallet, though this has been denied by the threat actor.

Beyond the massive scale of Salvadorian PII records, threat actors also obtained a headshot of each victim, which represents a crucial biometric data marker, particularly in the golden age of generative AI. This incident is notable as one of the first major breaches to affect nearly an entire country’s population, posing unprecedented risks of identity theft and fraud.

4. Australia Biometric Data Breach

A significant data breach involving personal information, including facial biometrics, of about a million Australians has been reported. This breach allegedly stems from Outabox, a hospitality IT provider, which collected data from 19 venues operated by ClubsNSW in New South Wales and the Australian Capital Territory.

According to the authorities, there were 1,050,169 records inside the leaked database. The leaked information includes facial recognition biometrics, driver’s license scans, signatures, club membership data, addresses, birthdays, phone numbers, club visit timestamps, and slot machine usage.

The breach was claimed by people asserting they are former developers for Outabox in the Philippines, who created a website stating the hack was in retaliation for not being paid for 18 months. The claims remain unverified.

The data breach in NSW has potentially compromised the personal and biometric information of over one million pub and club patrons. It raised significant concerns about data security and regulatory compliance in the hospitality sector.

However, cybersecurity expert Troy Hunt commented that the biometric data might not pose a real risk since facial images need to be in a specific template format for facial recognition algorithms, which doesn’t seem to be the case here.

5. COVID-19 Test Data Breach

A password-less database containing approximately 1.3 million Dutch COVID-19 testing records was left exposed online, revealing personal information such as names, dates of birth, and passport numbers. The breach, discovered by Jeremiah Fowler, is believed to involve CoronaLab, a major commercial test provider. Despite repeated notifications, no response was received from CoronaLab or its parent company, Microbe & Lab, until the cloud hosting provider was contacted to secure the database. The lack of response and delayed action raises concerns about responsibility and compliance with data protection regulations

Bottom line

In a world plagued by data breaches and identity theft, privacy and security are critical for identity verification providers. Service providers can protect customer data by implementing strong security measures, high-quality data protection measures, multiple audits, regular security audits, and employee training programs. An organization’s cybersecurity is only as strong as its weakest link. Therefore, all employees must follow best practices to avoid putting themselves or the organization at risk of a data breach.