Data Broker Exposes Records Containing Personal Information

A Florida-based data broker, IMDataCenter, has secured a large dataset containing sensitive personal information after it was discovered publicly exposed online without password protection or encryption.

The unprotected database contained 10,820 records, totaling 38 GB of data. Most of the files were .csv spreadsheets, each containing thousands — and in some cases hundreds of thousands — of rows of personally identifiable information (PII).

A sample review of the exposed files revealed records including:

• Full names
• Physical addresses
• Email addresses
• Phone numbers
• Lifestyle and ownership data

The dataset appeared to be a storage repository for client orders labeled “reports” and “results.” File names suggested the lists were used for sales and marketing lead generation across multiple industries, including insurance, solar energy, elections, car warranties, hospitals, healthcare providers, and more.

Database Ownership and Company Profile

The database name and its contents pointed to IMDataCenter, a Florida company specializing in data append and enhancement solutions for marketing strategies, including lead scoring and identity management.

According to IMDataCenter’s own website, its data library is sourced from hundreds of verified public and proprietary channels — both online and offline. The company claims to maintain detailed information on:

• 260 million individuals
• 130 million households
• 600 million email addresses
• 550 million phone numbers (including 230 million mobile numbers)
• 153 million property records and 208 million deeds
• 75 million homeowners

It remains unclear whether the exposed database was directly owned and managed by IMDataCenter, a third-party contractor, or an affiliated company such as a parent or holding entity.

Discovery and Response

Upon discovering the exposure, a responsible disclosure notice was sent to IMDataCenter. Shortly afterward, the database was secured and restricted from public access.

In a reply, the company stated:

“Data security is really important to us too and really appreciate you sharing this information with us. We are working to secure the information ASAP.”

It is not known how long the database was publicly accessible or whether other parties may have accessed it before it was secured. Only an internal forensic audit could confirm the extent of any potential unauthorized access or suspicious activity.

Risks of Exposure

The exposed information could be highly valuable to cybercriminals for phishing attacks, identity theft, and targeted scams. Marketing datasets that contain detailed personal and lifestyle data can also be repurposed for highly tailored social engineering campaigns, making victims more susceptible to fraud.

While IMDataCenter acted promptly to secure the exposed database following notification, the incident underscores the risks inherent in storing massive amounts of personal data without adequate safeguards. As marketing data brokers continue to aggregate and trade vast datasets, the potential impact of breaches — even inadvertent exposures — remains significant for both individuals and the industries relying on such information.

About The Author