How your identity gets swiped even if you're careful

Krebs on Security recently revealed that identity thieves have gained access to the databases of three of the biggest data mining companies on the planet.

LexisNexis, Dunn & Bradstreet, and Kroll Background America Inc. have been systematically plundered by hackers, most likely from Eastern Europe, who have stolen millions of personal and business records and are selling them on the Internet black market.

A site called SSNDOB has been selling names, social security numbers, birthdates, and more culled from these sites via a botnet attack last spring. According to Brian Krebs, you could buy a credit report from the site on anyone for just $15. A background check would run you $12; a drivers license record $4, and assorted other bits of highly personal info costs 50 cents to $1.50 per.

Krebs on Security

How bad was this breach? Krebs writes:

A closer examination of the database for the identity theft service shows it has served more than 1.02 million unique SSNs to customers and nearly 3.1 million date of birth records since its inception in early 2012. Thousands of background reports also have been ordered through SSNDOB.

Is your personal info among the records that have been stolen? There is no way of knowing. The only thing you can do is to start keeping a close eye on your credit accounts; order the free annual credit report from each of the big three firms (Experian, Equifax, Transunion), and put a credit monitor on it to alert you if someone else tries to create a new account using your information.

The worse part of this, notes Krebs, is that identity thieves can use this information to circumvent security safeguards put in place by banks—most of which involve asking detailed questions about your accounts that supposedly only you would be able to answer. By gaining access to full credit reports—and Dunn & Bradstreet’s business account records—an attacker could impersonate virtually anyone flawlessly.

Hammer time

So what are these data brokers doing to make their databases more secure? It’s unclear they’re doing much of anything.

Let’s face it. There’s not a lot of incentive for these companies to do what’s necessary to lock down this data. Sure, they’ll take a small hit to their reputations, spend some money cleaning up the mess (usually after being ordered to pay for credit monitoring services), and then continue to do business as usual.

It’s not like they’re going to lose business to the competition, because there just isn’t that much competition. There are only a handful of huge companies out there hoovering up your data, repackaging it, and reselling it. It’s consumers who get hurt, but it’s businesses who buy their data from these guys. So ultimately the penalties for negligence are minimal.

For example, according to the Privacy Rights Clearinghouse database of breaches, this is the eighth time in the last eight years that Lexis Nexis has been pwned, spilling hundreds of thousands of customer records over that period.

I think somebody needs to revoke their data mining rights. I think breaches of this sort call for real penalties; if not via fines from agencies like the FTC, then through private rights of action. I wouldn’t be surprised if we see class action suits filed against these companies, though it’s unlikely they’ll be forced to do more than pay for credit monitoring services for those affected.

It is our data, after all. These companies are getting it largely for free and selling it for a profit. And because they’re such big repositories of consumer and business data—and, apparently, easy prey for hackers—they’ve got a big red bulls-eye on their backs.  They should be held accountable.

Subscribe to the Security Watch Newsletter

Comments