Which was much harder to achieve before.
Data ownership/portability : you can ask companies for a copy of all data they hold on you or related to you.
I’ve seen the latter used by job applicants to get an entire copy of their interviews, transcripts and assessments including the reason for not being hired.
This is always the way of the world though, if you want to do business anywhere, you are of course obligated to follow the local laws and regulations. I don't see anyone disputing this outside of blatant patent infringement by certain countries.
and I've never seen any confirmation elsewhere
Looks like CyberNews have edited the article with more info since first I saw it, it used to look quite suspicious and untrustworthy, it now has more info. Still doesn't say exactly what a record is, or how many uniques there are.
For example if I (as a German in Germany, ymmv) open a bank account online that involves a call with one of these companies where they take pictures and information from my passport and check that that's me. Then I choose payment in installments on some online shop, same game. Apply for a small loan? Same game. Set up an account for trading (stock exchange or crypto)? You guessed it, another call. Another payment in installments, backed by the same bank? Apparently verifying my identity again is easier than checking their database. Each of those is another record. Potentially with a new identity document, address or even name (maybe you got married) but mostly just the same data confirmed again with another timestamp
Not all of them use the same identity verification service, but there aren't that many. And I wouldn't be surprised to learn that many are the same company under different brands
Edit- rereading this, you’re obviously talking about scale. The original article is much better : https://cybernews.com/security/global-data-leak-exposes-bill...
I saw a reddit thread about it earlier where someone said the apparent hacker refused to actually show any of the data and was asking for money. So probably just a scam rather than a real leak.
Cybernews posts screenshots[1] featuring usernames like idmKYCCN and idmKYCFR, and the ports were locked down after contacting ID Merit.
I think thay what's happened is that everyone is telling the literal truth and speaking very carefully to use that truth to obscure rather than inform. To hell with the victims. The way I intrerpet this is that their denials are both factually accurate AND misleading.
The partner who said there is "no indication that any customer data has been compromised" is telling the literal truth. They can't find any indicators because they stink at logging and the screenshots posted on CyberNews obscure the customer info intentionally. Instead Cyber News only shows the IDM usernames in plaintext. Which was the responsible thing to do They literally cant see any indications... of customer data... because they dont have logs.
Nobody should ever trust anyone involved in this again if I'm correct in this interpretation of the available facts.
[0] https://www.foxnews.com/tech/1-billion-identity-records-expo...
[1] https://cybernews.com/security/global-data-leak-exposes-bill...
The fact that they didn't vet their data providers then has to be considered a form of negligence. In the end, its the company I am handing over my details to to act responsibly, not their providers.
I hate this responsibility delegating when its not a good luck, and this will continue to get worse now as the entire internet will be ID gated soon. But don't worry, all the lapse in privacy and even security in the name of 'saving the kids'.
egorfine•2h ago