In September 2015, medical insurance claim company Systema Software made headlines for all the wrong reasons: 1.5 million Americans’ data was publicly available online via an unsecured database, including everything from drug test results to social security numbers.
Then in December that year, 191 million US voters’ records were found easily accessible online, again due to a misconfigured database. Later that month, 3.3 million Hello Kitty fans’ data was also exposed — including info on nearly 200,000 minors.
In April 2016, there was a second voter database discovered unprotected online — this one containing data on 87 million Mexican citizens. In June, it was a huge terrorist and “heightened-risk individual” database, containing 2.2 million records.
All of these incidents have one thing in common: They were discovered by a prolific security researcher called Chris Vickery.
By day, Vickery — who lives in Texas — works in tech support for a law firm. “But by night I do the security research stuff,” he told Business Insider.
If you know where to look, the modern internet is littered with unsecured and misconfigured databases — often containing highly sensitive personal information on up to millions of individuals.
Vickery trawls the web looking for these databases, reporting notable ones to the companies responsible, and helping them patch the problems. He uses freely available software like search engine Shodan and network scanner NetScan to help him. The tools “let me look at general open ports on the internet,” Vickery says. “Things that require no password, no username, or anything like that, and are open and exposed to the world.”
Given the availability of these tools, it’s a certainty that many others are doing similar, with more criminal aims in mind.
After all, the potential for abuse — from identity theft to blackmail — is obvious.
We called Vickery up for a chat about the most shocking things he’s ever found, why things aren’t getting better, what motivates him to do what he does — and what ordinary people can do to try and protect their data.
This interview has been edited for length and clarity.
Rob Price: Why do you do this? What attracts you to this research?
Vickery: Well it seems so obvious that somebody should be doing this. I found a few big things early on, and it kind of just prompted me to keep doing it. The bottom line is, I’m helping people out. I’m protecting the innocent person out there from identity theft, and that’s really what keeps me going.
Price: What’s the biggest or most shocking thing you’ve ever discovered?
Vickery: One of the early ones — probably the Systema breach. That affected about 1.5 million people in the US, and that was like social security numbers, and doctor notes, and litigation claims having to do with insurance, as well as investigatory notes and — you know, all sorts of things.
It was just way more in-depth than I figured anyone would be keeping in a database that was exposed to the public.
Price: It feels like there are new data breaches on a daily basis. Why does this keep happening? Why haven’t companies wised up yet?
Vickery: It’s profitable not to be secure. I think that’s the problem. It’s that businesses that operate in an insecure manner are making money still, and even when they get caught not acting securely there isn’t a big enough penalty to persuade them otherwise. That’s the biggest problem.
Price: So what should be done?
Vickery: A lot of people don’t approve of government regulations and everything. I don’t necessarily think the government needs to regulate things like this, but there needs to be bigger penalties.
I think the fines and the investigations whens something does go wrong need to be so nightmarish that no company would even risk it.
On the PR front, people are exposed to so many breaches these days it’s hard to make much progress on consumer awareness, because they just got exhausted by the number of breaches they hear about. So people are caring less and less about each one.
And companies lie too much about how well they’re securing things, so I’m not at all confident that even if people got more information from the corporations it would actually be accurate.
Price: Are things getting better, or worse?
Vickery: The ones I’m finding are slowly getting cleaned up, just because of the amount of notifications that I send out. But in general, the ones that actually get hacked — there seem to be more and more people getting in on that.
I don’t think things are getting better. I don’t know if they’re getting progressively worse or staying about the same, but I definitely would not say things are getting any better.
Price: But what can ordinary people — the ones whose data is compromised in hacks — do about all this?
Vickery: It’s hard to say what an ordinary person can do, because they’re not really in charge of their data. They may supply it, but really, your options for being more secure about these situations just aren’t there.
One approach that I take is I limit my online footprint — I don’t have a LinkedIn account, I don’t have an active Twitter account — but for a lot of people, that’s not possible. They have to have those things.
But keep an eye out for unnecessary requests for information is what I would say to the average person. Don’t supply information that you don’t necessarily need to supply.
Price: Have you ever run into any legal issues in the course of your research?
Vickery: Not criminal issues. There’s civil issues, and there’s criminal issues — some people have gotten upset, and on a civil side tried to claim that I was defaming them, or doing nasty things. But as far as the criminal aspect of things go, every organisation I’ve dealt with — law enforcement or regulatory enforcement — none of them have even suggested that what I do has a criminal aspect.
On the civil side, ultimately people calm down and realise I’m not a bad guy, and it kind of works out that way.
Price: How many unsecured databases do you think you’ve discovered, and how big do they tend to be?
Vickery: Across my lifetime, I’ve found probably a couple hundred.
The ones I’ve actually notified and helped secure, maybe 80 or 90. But when I come across something, and there’s only 10 or 20 records in there, that’s not really something I even bother with any more because those are so common, so it’s hard to say really.
The ones I go out of the way and notify generally have several thousand records in them. I find so many of the small ones that the average is a couple of hundred records. When I found one with a 100-200 thousand records, that’s pretty exceptional, then when you get up to a million, two million — that’s pretty rare, but they are out there.
Price: Do you think there are other hackers doing the same thing you are but with less honourable intentions?
Vickery: I’m certain there are. I’m sure I’m not the only person out there doing this.
It appears I’m one of the few that is actually notifying companies of it, but I’m positive there are plenty of other people that are doing the same thing for nefarious purposes.
Price: So what’s the future of data security?
Vickery: The future of data breaches — I don’t think it will be finding them, downloading them, and selling them. I think the future will be modification of them.
I think the people are going to be using their access levels to databases they find or hack or discover and offering services to change data and affect decision-making. That’s what I think is the next evolutionary step in the war of data breaches.