One Billion Records Compromised: Why More Data Means More Risk
A database containing around one billion personal identity records was recently discovered by cybersecurity researchers from Cybernews to have been compromised. These records were linked to IDMerit, a global identity verification provider. The exposed data came from 26 countries, with more than 203 million records originating from the United States. It included sensitive information, such as full names, addresses, dates of birth, emails, and more.
The exposed database the was discovered by the Cybernews team on November 11, 2025. IDMerit was immediately notified, and the database was secured by November 12. The company also reported that an individual demanded a ransom after it declined to share an incident report with the firm, which provides “Know Your Customer” services. Fortunately, IDMerit confirmed that no customers were compromised by cybercriminals. However, this incident serves as yet another example of how easily sensitive information can be exposed. Major companies, including Uber, Lyft, and Airbnb, consider providers like IDMerit to be critical infrastructure—yet breaches continue to occur.
Data breaches and cybersecurity attacks continue to rise at an alarming rate. In the first few months of 2026, several major incidents have already occurred, including a breach of Conduent Business Services, which involved a third-party contractor handling sensitive government records and affected the data of more than 25 million individuals. Another major incident involved telecom operator Odido in the Netherlands, along with an alleged breach connected to Switzerland’s Sunrise, one of the largest telecommunications companies in the country, exposing the personal information of roughly 6 million people.
The App Security Project have warned that government mandates requiring sensitive information on digital platforms comes with significant trade-offs. The more personal data that is collected, the more attractive these systems become to cybercriminals.
Legislation mandating age verification should be avoided, as it can increase vulnerability to cyberattacks and limits free speech.
Published on March 25, 2026