Cyber Incident Victim: Modern Business Systems
Date:
Oct 2016
Location:
United States of America
Summary
A US-based data aggregator serving the automotive and real estate sectors suffered a significant breach exposing personal information of over 58 million individuals. The compromised data included names, email addresses, home addresses, phone numbers, and dates of birth from a publicly shared MongoDB file linked to the company, with subsequent downloads removed but potential risks of phishing and identity theft persisting. The organization failed to publicly acknowledge the incident despite third-party reports from security firms and breach notification services, while affected individuals expressed frustration over the lack of transparency regarding one of the largest recorded breaches at the time. The firm monetized data through targeted advertising and email services for industry partners.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 13, 2016, a publicly accessible MongoDB database containing personal information belonging to Modern Business Solutions (MBS), an Austin-based data aggregation company, was exposed online. The database contained records for over 58 million individuals, including names, email addresses, home addresses, phone numbers, and dates of birth. Security firms Risk Based Security and DataBreaches.net first identified and reported the breach after the database was shared publicly on Twitter. The exposure created significant risks for affected individuals, including potential identity theft and highly targeted phishing campaigns due to the detailed nature of the leaked information. Though downloads of the database were subsequently deleted, the timeframe of exposure left uncertainty about whether malicious actors had already obtained copies. MBS, which specialized in brokering consumer data for automotive and real estate industries through targeted advertising services, did not publicly acknowledge the breach despite media inquiries from The Register.
The incident gained wider attention when affected individuals like Dave R received breach notifications through haveibeenpwned.com, which ranked it as the ninth-largest breach in its records at the time. Public frustration emerged over MBS's lack of communication with victims, as no official statements, remediation offers, or transparency measures were provided by the company. The compromised data originated from MBS's core business operations involving data partnerships and subscriber email targeting services. No technical details regarding the breach mechanism (e.g., misconfigured database, external hacking) were disclosed in available reports. Similarly, no containment actions, forensic investigations, or post-breach security enhancements by MBS were documented in the public domain following the exposure. The incident highlighted risks inherent in data aggregation business models while leaving victims without clarity on mitigation steps due to the company's non-disclosure.