<div dir="ltr"><a href="http://www.csoonline.com/article/3149713/security/data-enrichment-records-for-200-million-people-up-for-sale-on-the-darknet.html#tk.twt_cso">http://www.csoonline.com/article/3149713/security/data-enrichment-records-for-200-million-people-up-for-sale-on-the-darknet.html#tk.twt_cso</a><br><p>Full data enrichment profiles for more than 200 million people have
been placed up for sale on the Darknet. The person offering the files
claims the data is from Experian, and is looking to get $600 for
everything.</p><p>Details of this incident came to Salted Hash <a href="https://www.peerlyst.com/secure-drop" target="_blank">via the secure drop at Peerlyst</a>,
where someone uploaded details surrounding the sale and the data. The
data was first vetted by the technical review board at Peerlyst, who
confirmed its legitimacy. Once it was cleared by the technical team, a
sample of the data was passed over to Salted Hash for additional
verification and disclosure.</p><p>Calls to individuals in the sample
data went to voicemail and were not returned. Should any of them confirm
their information, we’ll update this story.</p><p>Salted Hash also <a href="http://www.experian.com/marketing-services/consumerview-data-enrichment.html" target="_blank">reached out to Experian</a> and one other firm, <a href="http://www.acxiom.com/data-packages/" target="_blank">Acxiom</a>, as sources have speculated the information that’s up for sale aligns with enrichment data made available by these companies.</p><aside class="gmail-nativo-promo gmail-smartphone" id="gmail-"> </aside><p>Acxiom
did not respond to questions. However, sources at Experian said that
they were made aware of this data breach last week, and investigations
determined that it wasn’t their data.</p><p>Instead, investigators
believe the data on offer is a collection of records that’s being
labeled as Experian’s in order to leverage the company’s name.</p><p>“We’ve
seen this unfounded allegation and similar rumors before. We
investigated it again – and see no signs that we’ve been compromised
based on our research and the type of data involved. Based on our
investigations and the lack of credible evidence, this is an
unsubstantiated claim intended to inflate the value of the data that
they are trying to sell – a common practice by hackers selling illegal
data,” Experian said in an emailed statement.</p><p>So while Experian investigators state the data isn’t theirs, the fact that the data exists is still a problem.</p><aside class="gmail-nativo-promo gmail-tablet gmail-desktop" id="gmail-"> </aside><p>The
seller is taking things seriously too, limiting access to the data by
refusing to deal with potential buyers who have newer accounts or those
with only a few hundred dollars in previous transactions.</p><p>There
are 203,419,083 people listed in 6GBs worth of records. The profiles
include PII such as a person’s name, full address, date of birth, and
phone number, but because it’s enrichment data - the records also
include more than 80 personal attributes.</p><p>Among the additional
attributes, profiles include a person’s credit rating (listed A-H); the
number of active accredit lines; whether the person is a credit card
user; if they own or rent their home; the type of home the person lives
in; marital status; the number of children a person has; how many
children are in the home; occupational details; education; net worth;
and total household income.</p><p>In addition, some records indicate a
person’s political donations, including fields denoting conservative
donations, liberal donations, or general political causes.</p><p>Other
fields list personal donations (i.e. veteran’s charities, local
community charities, healthcare charities, international charities,
animal charities, arts or culture charities, children’s charities); and
financial investments (foreign and domestic, including personal
investments, stocks and bonds, or real estate).</p><p>There are travel
indicators too, including fields for people who travel internationally,
and fields for those who visit casinos. Finally, the profiles indicate
buying preferences, such as if a person is into home gardening, or has
recently purchased auto parts.</p><p>Some of the information in the
collected records was provided directly to the data broker by the
individual at some point. But data brokers who offer data enrichment
programs use a mix of opt-in details and sourced information. It’s legal
for them to collect, store, and share this information, provided they
comply with various data regulations.</p><h3>Impact:</h3><p>Commercially,
while data brokers have learned to navigate the various data privacy
laws, such as SB1386 and FCRA, now that this data is out there – it’s
fair game and available for anyone to use. While some of this data might
have previously required permission before it could be used, that’s no
longer the case with this data set.</p><p>Salted Hash reached out to J.
Tate, CISO of bits&digits, a counter and social intelligence agency
with headquarters in Germany and Columbia, SC, about the data that’s
currently up for grabs. He said sets such as this one have reached a
level of social desensitization that is dangerous.</p><p>“Not placing
the necessary importance on your digital identity and collected
marketing insights is one of the worst habits one can have,” Tate said.</p><p>“The
information collected in this trove, no matter which data-broker or
marketing enrichment system it came from is now in the hands of people
that you will never know. What uses they provide to both marketers and
nefarious scam artist are endless. This is my biggest concern, the data
sets that are popping up around the world are not secured as regulation
mandates, are providing easy to access credentials and intelligence
points to facilitate complex identity fraud, human trafficking and money
laundering operations across the globe.”</p><p>As far as criminal
elements go, the data contained in this database is an identity thief’s
dream. Moreover, a list such as this allows a criminal to target
high-value targets in a given area, based on net worth, travel habits,
or supported cause.</p><p>Kidnapping is a certain possibility for anyone
that has a household income of ‘S’( $250,000+) or a net worth of ‘I’
($499,999+), especially if they travel overseas. But there is also the
chance that someone could take the list and create identifications for
those that are over the age of 70 and use them to smuggle people into or
out of the country.</p><p>On a technical level, anyone within the data
set that uses the collected data for knowledge-based authentication is
exposed, but it’s also the case that this data can be used to gain
access to such information indirectly. Moreover, the data holds enough
information to develop a sustained Phishing campaign, which could open
the door to numerous other crimes.</p><p>“This data set alone (and there
are many more) tells us who makes more than $100,000 a year in a given
zip code and address; what allergies each member may have; how many home
loans they have taken out in 15 years; how many pets; how often they
shop; and about 80 other attributes. Until we start taking our data
seriously, how can we expect the companies that barter and sell it to?”
asked Tate, during a recent email conversation.</p><br></div>