Florida Marketing Database Found Exposed Online, Containing Sensitive Personal Data

A large database linked to Florida-based data broker IMDataCenter was recently discovered online, fully exposed and accessible to the public without any password protection or encryption. The dataset has since been secured after a responsible disclosure.

The database contained 10,820 files with a combined size of 38 GB. Most were .csv spreadsheets, many holding tens or hundreds of thousands of rows of personally identifiable information (PII).

A brief review of the data showed that it included:

• Names
• Mailing addresses
• Email addresses
• Telephone numbers
• Lifestyle details and ownership-related information

The files appeared to serve as order storage labeled “reports” and “results,” likely intended for sales and marketing lead lists. File names suggested the data was used across numerous industries, such as insurance, solar energy, political campaigns, extended car warranties, hospitals, healthcare providers, and others.

Link to IMDataCenter

Based on the database’s name and contents, the records likely belonged to IMDataCenter, a company that specializes in enhancing marketing efforts through data enrichment, lead scoring, and identity verification services.

According to the company’s website, its data library is built from hundreds of confirmed public and private sources, both online and offline. The firm claims to hold:

• Information on 260 million individuals
• Details on 130 million households
• 600 million email addresses
• 550 million phone numbers (including 230 million mobile numbers)
• 153 million property records and 208 million deeds
• Data on 75 million homeowners

It is not confirmed whether IMDataCenter directly operated the exposed database, or if it was managed by a vendor, affiliate, or related entity.

Discovery and Company Response

Upon finding the open database, I issued an immediate responsible disclosure notice to IMDataCenter. The dataset was quickly taken offline and is no longer accessible.

The company responded:

“Data security is really important to us too and really appreciate you sharing this information with us. We are working to secure the information ASAP.”

The length of time the database was publicly exposed remains unknown, as does whether anyone else may have accessed it. Only an internal forensic review could determine if the information was downloaded or misused by unauthorized parties.

Potential Consequences

The type of PII found in the records could be exploited for phishing campaigns, identity theft, or other forms of fraud. Highly detailed marketing datasets can also be weaponized in sophisticated social engineering schemes that target specific individuals or groups.

Final Thoughts

While IMDataCenter moved swiftly to secure the exposed data once notified, the incident highlights the ongoing risks in the data brokerage industry, where vast amounts of consumer information are collected, stored, and circulated. Without strict security measures, even a brief period of public exposure can carry significant consequences for the individuals whose data is involved.