This is a multi-part interview with the individual known as “Nam3L3ss” who leaked more than 100 databases on a popular hacking forum and will soon be leaking many more. Read the Preface. In Part 1, we talked about his background and what motivated him to do what he does. In Part 2, we talked about his methods for finding exposed data. In this part, we discuss some ethical concerns and the future.
Ethical Considerations
Dissent Doe (DD): In your forum “manifesto” you wrote, in part:
If a Company or Government agency is STUPID enough NOT to encrypt it’s data during transfers or if an admin is to stupid or too lazy to password protect their Online storage that is on THEM!
The world should KNOW exactly what these companies and government agencies are leaking!
Companies and Governments alike have a RESPONSIBILITY to make damn sure they are encrypting PII Data!
Too many Companies Blame 3rd Party Vendors, yet they themselves are transferring UNENCRYPTED data to these 3rd Parties!
Those that are sending ENCRYPTED data have a responsibility to make damn sure the 3rd party is keeping it EncryptedIf I find data from anywhere I will POST it regardless of the content until Governments take Data and PII information SERIOUSLY!
NO ONE will be exempt and no data format will be exempt!
It is time for Governments to take PII data seriously and hold Companies liable in the strongest terms!
This INCLUDES Government agencies!
We live in a digital world, time to make it secure for the generations to come!
DD: That makes your motivation pretty clear, but let’s pursue that and consider the ethics. In a previous part of this conversation, you expressed regret over some of your public claims that you would leak all of the data from Columbus Ohio, and we also touched on the fact that you manually search datasets to remove any information that might harm witnesses or assault victims. You also indicated you will not be exposing undercover informants’ information. But despite all your ethical decisions, you are still leaking personal information on people without their knowledge or consent, including patient-related information.
N: As far as I am aware, the databases I have encountered thus far lack specific fields that include psychiatric or psychological information. Typically, such sensitive data is stored within document or image files, which I do not disclose. If I were to identify a database with a clearly defined field containing this type of information, I would certainly consider redacting it. In contrast, I currently release databases that encompass information related to prescription drugs that individuals have obtained. I believe there is significant value in making this information accessible to researchers who may be studying patterns in prescription use or examining pricing trends associated with these medications. However, I recognize that the topic of releasing prescription drug data can be contentious, and I remain open to dialogue about the ethical implications of such disclosures. Engaging with others in this discussion could provide valuable insights into whether continuing to release this information is justifiable or prudent.
DD: You haven’t specifically mentioned leaking databases with health insurance billing information. EDI (Electronic Data Interchange) records have diagnostic codes that, depending on the entity, might include ICD or DSM codes linked to sensitive mental health or other health issues that could either be stigmatizing or jeopardize the patient’s employment. As a healthcare provider, I often see leaked data diagnostic codes that I recognize and that anyone can simply look up online to find out what the patient was treated for. Maybe we could talk more about leaking health insurance information before you leak any more of it?
N: I will take this under consideration, this is hard one though. It is something I am willing to discuss further.
DD: In a previous chat with me, you also said: “I could have simply redumped everything, but 99% of people out there would not know what to do with it, or even how to handle the data.” In describing your methods, Foresiet wrote:
Data Curation: Each dataset undergoes a cleaning process to remove duplicates, irrelevant fields, and any data that lacks utility for cybercrime purposes.
But are you really cleaning the datasets to make them more useful for cybercrime or to encourage cybercrime or did Foresiet just incorrectly assume your motivation? You had also written:
Dumps I hate, since they not identify a Company. My Goal is to make damn sure every company info is identified, and all sources 100% identified when possible. If it helps people and lawyers sue Government Agencies and Companies even BETTER!
Even better than what? Please clarify exactly why you are cleaning the datasets and what you hope people will actively do with these cleaned datasets.
N: My intent is not to aid criminals or cyber gangs, those groups already possess the data. Rather, my goal is to shine a light on the alarming state of cybersecurity breaches and data leaks that plague our digital landscape. It is disheartening to realize that the severity of these incidents often goes unnoticed, overshadowed by sensationalized headlines that prioritize clicks over clarity. The media, in large part, seems preoccupied with creating “clickbait” content, neglecting their responsibility to provide accurate and nuanced reporting. Even when presented with verified facts, many outlets choose to gloss over the details, leaving the public in the dark about the true implications of these breaches.
The role of a “Cyber Research Investigator/Reporter” should inherently include rigorous fact-checking and thorough investigation. How can one claim this title when the vast majority of reports are simply rehashed narratives from hackers or ransomware groups without any real critical examination? The integrity of journalism is at stake when sources readily publish sensational claims without verification, fostering misinformation rather than shedding light on complex issues. In my own experiences with platforms like Hudson Rock and Bleeping Computer, I found my factual contributions disregarded, despite their outreach to me for insight. I clearly stated that I was neither a hacker nor involved in illicit activities, yet they continued to label my work with sensational terms like “Hacker” and “Threat Actor.”
This misrepresentation is not only frustrating but diminishes the legitimacy of the critical information I aim to convey. Terms like “watchdog,” “activist,” or “vigilante” more accurately encapsulate my efforts to expose the harsh realities of cybercrime. It is vital for the discourse surrounding cybersecurity to evolve beyond mere sensationalism into a more constructive dialogue that accurately reflects the challenges we face. Only then can we truly begin to address the pressing issues of cyber threats and protect our increasingly digital lives.
DD: I can understand your frustration at being called a “hacker” or “threat actor” if you see yourself as a watchdog who is not breaking any laws. And what you say about some media or researchers is true – there are too many who just repeat claims without any investigation or attempt to verify — or even a disclaimer that the claim is not confirmed and no proof has even been offered. And some “researchers” or “news sites” seem to rush to report leaks without even attempting to ensure that a leak is closed before they report on it. There is a lot of blame and fingerpointing to go around these days. Even the personal injury law firms contribute to misinformation these days, although many of them just announce they are “investigating” breaches disclosed by the entities themselves.
N: One of my listings involved Amazon employees. The data was not breached from Amazon’s servers, however, but from a property management vendor, Jones Lang Lasalle (JLL). Amazon confirmed the incident but stated that it was at a vendor’s and that the breach (only) involved employee contact information and not sensitive employee information. Now it seems some news sites and law firms are talking about a possible class action lawsuit against Amazon, but they don’t mention JLL.
DD: That’s not great if you want JLL to be held accountable.
DD: You spoke about critical information. You previously mentioned to me that most people have no idea what is in the data you have leaked and you used Delta Dental as an example where a Deep Dive should be done.
N: Yes, since even people downloading my data probably have no clue just how valuable or the breadth and depth the exposed data covers. To me releasing the data is only the 1st part of it. Discussing it in depth, and showing just how much it really reveals and exposes is a critical part, since the average person, and average government worker who does not work with data in the way I do will ever understand the far reaching implications.
DD: In your manifesto, you also wrote, “Lawyers and Law Firms involved in suits against Government Agencies or Companies feel FREE to contact me via PM.” Have any personal injury law firms contacted you about the Amazon data or any of your other leaks?
N: I thought several different law firms would contact me, but it appears the lawyers are not paying attention to the forums, when they in fact should be!
Back in 2020 when I first downloaded the Vertafore database from an open AWS bucket, a lawyer then posted requesting info on it. I never supplied it or answered, since I was not interested in making things public or getting involved.
That all changed earlier this year. I cannot remember exactly what I read or saw about Vertafore, but it got me pissed so I posted it.
Soon I will be more proactive on this front and actually start contacting lawyers directly and sending them the data no strings attached.
DD: Do you leak student information from K-12 districts? And if you do or might, if a database has fields that indicate a student’s disability or any sensitive information, will you still leak it?
N: I would redact that information.
DD: If a company approached you and begged you not to leak their data because it might bankrupt them, would you ever agree not to leak data?
N: The responsibility to protect sensitive information is not just a legal obligation; it is a fundamental ethical duty that companies must uphold. When they fail in this responsibility due to negligence, it is deeply frustrating to watch them receive a free pass for their shortcomings. Such failures not only compromise the safety of individuals’ data but also erode public trust in the institutions that manage that information.
Why should we extend grace to those who have blatantly disregarded their obligations?
It is time for consumers and stakeholders to hold these companies accountable for their actions, or lack thereof.
The persistent trend of data breaches is indicative of a severe flaw in corporate governance and accountability. Companies have been warned repeatedly about the importance of data security, yet many still remain complacent, thinking that the repercussions of inadequate measures will be minimal. In an era where every piece of information is a valuable asset, the negligence displayed by these organizations is inexcusable. If bankruptcy is what it takes to teach them a lesson, then perhaps this harsh reality is necessary. In a free market system, the consequences of failure should not be cushioned; they should serve as a stark reminder to others that safeguarding data is not optional but a critical component of business operations.
Consider the impact that witnessing a company go bankrupt over data negligence could have on the industry. It could spur a much-needed cultural shift where organizations prioritize robust security measures rather than treating them as an afterthought. Just as stockbrokers and bankers operate with the knowledge that their market actions can influence the fate of a company, they should also recognize that the failures of others can serve as a precedent for change. The reality is that financial peril is a potent motivator; the repercussions of a data breach should be severe enough to instigate a culture of accountability and diligence. If companies want to thrive, they must learn that neglecting data security not only puts them at risk but also threatens the livelihood of everyone involved. Only through rigorous enforcement of responsibility can we hope to see a significant turnaround in how data security is approached in the corporate world.
The recent closure of NationalPublicData.com has sparked a wave of concern regarding the handling of sensitive personal information. While it’s tempting to view this as a victory in the battle against data breaches, the reality is far murkier. It’s crucial to recognize that the owner of this now-defunct company is unlikely to be held accountable in any meaningful way. As history has shown, individuals and entities that experience bankruptcy often find ways to emerge from the shadows, rebranding themselves under new names and facades while retaining access to their original data.
This situation raises serious questions about the legal frameworks governing data privacy and corporate accountability. The largest leak of personal information, including names, addresses, phone numbers, and Social Security numbers, should have triggered a robust response from regulatory bodies. Yet, there appears to be a shocking absence of laws that can decisively prevent the owner from re-entering the market and exploiting the very data that caused such widespread harm. It is disheartening to think that someone can file for Chapter 11 bankruptcy and effectively wipe the slate clean, slipping through the cracks of accountability.
Moreover, why is there no aggressive investigation into the methods used to acquire such sensitive data in the first place? It’s imperative that the government takes responsibility, not just for the affected individuals, but for setting precedents that discourage similar behavior in the future. Seizing the owner’s computers, gathering evidence, and ensuring that he faces both civil and possibly criminal repercussions should be priorities in addressing this issue. Without such action, the cycle of exploitation will continue, as these companies can simply vanish and reappear, leaving a trail of destruction in their wake while maintaining their profit-driven motives.
The absence of infrastructure to protect consumers from such cyclical behavior feels unjust and begs for a reevaluation of data protection laws.
Goals
DD: So what are you really hoping to accomplish? In a pre-interview chat, you told me that your real goal is to release enough data in database format (like names, address, date of birth, SSN, even banking details) to show people just how much of their personal info is already out there. “Every decent hacker and ransomware group already has the damn data, but the public is NOT realizing exactly what these criminals have on them,” you told me.
N: “The definition of insanity is doing the same thing over and over and expecting different results.”
How many alerts have been released to the public, organizations, and even authorities over the last two decades? Can you demonstrate where any of these alerts have led the aforementioned to implement any meaningful actions to safeguard “data privacy” or genuinely secure the data appropriately?
Do not reference the Data Broker Registration laws from CA, OR, TX, or VT, nor any state’s Data Breach Notification obligations; these are all ineffective and inconsequential laws that serve only to give the impression that action is being taken. The reality is that there is no law whatsoever that has any enforcement ability concerning the protection of the rights and privacy of individuals.
Consider it from a different perspective; if the US Government was genuinely committed to “protecting the consumer,” whether it involves company information or personal data, then why haven’t they established a federal law on the matter as they have with the Computer Fraud and Abuse Act (CFAA)?
Is it genuinely too difficult for legislators to create laws that implement “data protection” and data protection standards? Or is it more that the politicians are preoccupied with kissing the ass of the data broker lobbyists?
Politicians are solely safeguarding the interests of the Data Brokers and not the constituents they are intended to represent!
All people have to do is some simple Google searches to check, like this one.
https://github.com/the-markup/investigation-data-broker-lobbying
DD: Suppose everyone says, “OK, you’ve leaked so much data that we’re convinced all this data is out there in the wrong hands and we’re really worried and mad. Now what? What do you think we should do?” What do you want to happen then?
N: While there are numerous regulations and laws that address copyright infringement related to torrents, music, movies, tv series, and ebooks, the legal landscape regarding the protection of personally identifiable information (PII) is basically non-existent.
DD: Is there anything I haven’t asked you that you wish I had asked you? If so, what?
N: Yes, because data brokers are the real “Threat Actors.”
Let’s be real here: data brokers like National Public Data, along with numerous registered and unregistered companies operating in this shadowy ecosystem, represent a significant threat to public privacy and security. These organizations compile, analyze, and sell vast amounts of personal information about individuals without their consent, often operating under a veil of anonymity. This accumulation of data can lead to various forms of exploitation, from identity theft to more insidious forms of surveillance and manipulation. Unlike traditional criminal enterprises, data brokers often navigate through legal loopholes, making it challenging for consumers to understand how their information is collected, used, and shared.
Moreover, the lack of stringent regulations governing the activities of these data brokers exacerbates the issue. Individuals often find it nearly impossible to opt-out of data collection practices, leaving them vulnerable to targeted marketing campaigns, spam, and potentially harmful encounters. This is particularly concerning in an era where personal data is a valuable commodity, often traded among organizations with little oversight. The very existence of these brokers creates an environment where personal data is commodified, reducing individuals to mere data points that can be profited from without their knowledge or consent.
As we continue to navigate an increasingly digital world, it is crucial for individuals to recognize the pervasive influence of data brokers. Advocacy for stronger privacy protections and greater transparency in data collection practices is essential in combating this modern form of exploitation. By raising awareness of the potential dangers associated with data brokers, we can begin to push for actionable reforms that protect individuals from being reduced to their most basic data attributes in an ever-expanding marketplace of information. It’s time to confront these “real threat actors” head-on and advocate for a future where personal data is treated with the care and respect it deserves.
D: OK, but you haven’t really answered my main question. What do you think we should actively do or what do you want to happen next? Tell us what specific actions you want members of the public to take to make things safer for ourselves and future generations?
N: I will create a detailed article regarding this issue, it would be far too much to accomplish in the interview.
DD: Okay. In the meantime, what can we expect you to be doing? What’s next for you?
N: In the coming days I will be releasing the following:
Over 125 more companies identified by domain names from the Delta Dental breach. Here are some examples:
-
- Self-Insured Schools of California
- San Diego County Office of Education
- Whatabrands LLC
- Howard University Hospital
- occ.treas.gov
Plus a massive trove of Electric & Gas customer billing data along with actual bills. The data contains valuable intelligence on people and companies with full service and billing addresses.
DD: Sounds like I should go put up more coffee….
DD: Thank you for this interview.