A massive data breach earlier this month at Habitat for Humanity exposed the personal information of thousands of individuals, including their Social Security numbers.
Habitat for Humanity of Michigan’s virtual hard drive backups, which contained more than 400GB of information, were discovered online by an Austin-based security researcher in early October. The data is said to have contained hundreds of background and credit check profiles, in addition to roughly 4,600 individual profiles, all of which included Social Security numbers and other personally identifiable information.
Those affected by the breach are believed to be Michigan volunteers and applicants of the non-profit organization.
Habitat is an international Christian charity devoted to building “simple, decent, and affordable” housing and addressing issues of poverty around the world.
The data breach was discovered by Chris Vickery, a lead security researcher for MacKeeper. Vickery describing the breach as an “identity thief’s dream.” Habitat was alerted to the breach roughly three weeks ago. The leaky database has since been either taken down or moved to another location.
“I’ve found, so far, close to 5,500 people have been seriously exposed by this breach,” Vickery told the Daily Dot. Among the files, he said, are Experian credit check reports containing a wealth of personal information: “Everything an identity thief would need to break the law and do their thing,” he said.
According to Vickery, Habitat’s hosting provider had an exposed “rsync” service, a protocol which is used to “copy files from a given directory to another device—it’s used to make backups,” he explained. “However, most of the client’s backups were encrypted with … a decent backup encryption service.” Habitat’s folder, however, was not encrypted. “Their virtual hard drives were simply available.”
Vickery reached out to alert Habitat three weeks ago, but he has only ever been transferred to a supervisor’s voicemail. “My messages have gotten zero responses,” he said. Given the length of time the data may have been exposed—which may be difficult to accurately pinpoint—the organization has a responsibility to notify the people who may be affected, he said.
A spokesperson for Habitat’s Michigan branch said it needed more time to assess the situation.
Ultimately, Vickery said, the fault lies with the party responsible for backing up Habitat’s data. “I don’t know in what area that process happens,” he said. “The question of where the servers are physically stored, and who is in charge of turning on and off the firewall, is up in the air.”
The leaky database containing Habitat’s data was taken offline around Oct. 10, a day after Vickery contacted ACD, Habitat’s internet provider, but before he reached out to Habitat itself.
ACD denied responsibility. “We are the ISP for Habitat for Humanity. We provide internet service to some of their sites,” said Kevin Meeker, an ACD sales engineer. “I provide raw internet, what they do with it is up to them.”
Evidence pulled from the breach may point to a Michigan-based tech company called Providence.
Reached by phone on Friday, a Providence employee confirmed that Habitat is their client. “I know that we are aware and that our CEO has looked into that,” the employee said. “I will tell you that the way that it was presented to us made it sound like [Vickery] may have been a hacker and that it may have been a phishing scam.”
An oft-cited security expert, Vickery has been instrumental over the past year in securing dozens of databases containing the private information of U.S. and foreign citizens.
In December, Vickery helped to secure a publicly accessible database containing the personal information of 191 million American voters. In June, he discovered yet another database containing approximately 56 million voter records, which included information about gun ownership.
This summer, he was invited to Mexico by the nation’s government after he discovered the names, addresses, dates of birth and voter ID numbers of 87 million Mexican citizens exposed by misconfigured database online.
Clarification: ACD did not host the breached database.