People Data Labs and the world of Data Enrichment
Caution: This article contains lots of my personal opinions on this subject. While I have done everything I can to verify the facts in my story I can not guarantee these are correct nor up to date.
Before we get started you should probably go check your email over on haveibeenpwned to see if this affects you.
Who are People Data Labs?
Well where to we start. I guess with the company. People Data Labs. I guess based off that type of name you can gather what they do. They sell data. What’s my issue with that? The fact that they don’t actually collect this data themselves. A user will sign up to a service or put some of their personal data into a website and usually you would trust that website to keep it secret and not just give it to any random person. That’s exactly what this company takes advantage of they collect data from those other sites aggregate it and create a detailed profile on you. Your full name, your phone number, your social media profiles, gender, birthday, emails, where your from and more. Here’s the thing with this you can sign up to their API for free. In fact thats exactly what Troy Hunt the creator of haveibeenpwned did in this article troyhunt.com/data-enrichment-people-data-labs-and-another-622m-email-addresses/.
The problems with this kind of service.
Which brings us nicely to the point of this article taking a quote from People Data Labs themselves.
“We sign the agreements with all our clients that strictly forbids the data reselling and obliges them to ensure that all of the appropriate security measures are taken. However, there is no way for us to enforce all of our clients to follow the best data protection practices and guidelines.“
Source: WIRED via troyhunt.com
Lets split that quote
“We sign the agreements with all our clients that strictly forbids the data reselling and obliges them to ensure that all of the appropriate security measures are taken.“
This first part points out one issue they sign agreements. Just like you did when you click yes to that EULA when installing that software. I’m almost certain you didn’t read it and at a guess most people that sign up for a free key with PDL don’t either.
“However, there is no way for us to enforce all of our clients to follow the best data protection practices and guidelines“
Here’s the part which irks me they say there is NO way to enforce the rules for all of their clients. So they essentially admit they cant control the data they sell and yes that is correct they cant and that’s the issue here.
The Hack.
In october of 2019 one of PDLs customers left a Elasticsearch server containing 1.2Billion records of personal information unprotected. The server was owned by a customer and not PDL themselves. According to Haveibeenpwned the data included Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Social media profiles. That’s not all of that data points PDL has as I mentioned above but its a lot of them.
Reactions on twitter were furious when people realized this company that they didn’t even know had leaked their data.
just found out about this thing called @PeopleDataLabs : an enterprise SaaS company that calls itself "The Single Source of Truth for People Data" and has "resume, contact, social, and demographic information for over 2.5 billion unique individuals"
— humphrey ✨ (@hoctopi) February 24, 2021
like what the flying FUCK
Ok, this is devastating. It seems that almost the whole database of People Data Labs, a MASSIVE data broker who claims to have detailed profiles on 1.5 billion people, was left open on the Internet. https://t.co/6o3mF9zOAr
— Wolfie Christl (@WolfieChristl) November 22, 2019
PDL Replied to various tweets with this.
Hi @lafabfeline , the breach did not come from our website. However, in accordance with regulations we have both an opt out form here: https://t.co/YXDnZ9WfN4 as well as another form to see your data https://t.co/dOa6J6dslg.
— People Data Labs (@PeopleDataLabs) December 4, 2019
So I checked their opt out page.
So lets get this straight in order to opt out of a service I didn’t know existed I have to provide correct data to them and just trust the process that they will delete that data. There might be less of an issue with selling the data if people knew that their data was being sold by this company and how this company handles breaches.
My take
So here’s my take on this. This company should not exist neither should oxydata.io or any of these services because as a developer these services may be useful they put real people in potentially unsafe situations. Companies get breached every day and that’s the flaw because no matter how much a company tries if your not a massive company with a cyber security team they’re probably gonna be breached and even then this article shows even giants as big as google sometimes get it wrong.
Finally
I hope you’ve enjoyed this article and learned a thing or two I encourage you to share this article or just anything about this because as privacy is being brought more into question worldwide people need to question companies that sell this data to the data enrichment companies and the data enrichment companies themselves.
People Data Labs is not the only company doing this they’re just the only one that has been caught up in a data breach. Companies need to be held accountable for data mishandling the websites that provide PDL and others should at minimum have to disclose the companies they sell to so people can opt out otherwise we are left with a system that sells our data without us even knowing it.
No Comments