[BreachExchange] Data enrichment records for 200 million people up for sale on the Darknet

[Inga Goddijn]

http://www.csoonline.com/article/3149713/security/data-enrichment-records-for-200-million-people-up-for-sale-on-the-darknet.html#tk.twt_cso

Full data enrichment profiles for more than 200 million people have been
placed up for sale on the Darknet. The person offering the files claims the
data is from Experian, and is looking to get $600 for everything.

Details of this incident came to Salted Hash via the secure drop at Peerlyst
<https://www.peerlyst.com/secure-drop>, where someone uploaded details
surrounding the sale and the data. The data was first vetted by the
technical review board at Peerlyst, who confirmed its legitimacy. Once it
was cleared by the technical team, a sample of the data was passed over to
Salted Hash for additional verification and disclosure.

Calls to individuals in the sample data went to voicemail and were not
returned. Should any of them confirm their information, we’ll update this
story.

Salted Hash also reached out to Experian
<http://www.experian.com/marketing-services/consumerview-data-enrichment.html>
and one other firm, Acxiom <http://www.acxiom.com/data-packages/>, as
sources have speculated the information that’s up for sale aligns with
enrichment data made available by these companies.

Acxiom did not respond to questions. However, sources at Experian said that
they were made aware of this data breach last week, and investigations
determined that it wasn’t their data.

Instead, investigators believe the data on offer is a collection of records
that’s being labeled as Experian’s in order to leverage the company’s name.

“We’ve seen this unfounded allegation and similar rumors before. We
investigated it again – and see no signs that we’ve been compromised based
on our research and the type of data involved. Based on our investigations
and the lack of credible evidence, this is an unsubstantiated claim
intended to inflate the value of the data that they are trying to sell – a
common practice by hackers selling illegal data,” Experian said in an
emailed statement.

So while Experian investigators state the data isn’t theirs, the fact that
the data exists is still a problem.

The seller is taking things seriously too, limiting access to the data by
refusing to deal with potential buyers who have newer accounts or those
with only a few hundred dollars in previous transactions.

There are 203,419,083 people listed in 6GBs worth of records. The profiles
include PII such as a person’s name, full address, date of birth, and phone
number, but because it’s enrichment data - the records also include more
than 80 personal attributes.

Among the additional attributes, profiles include a person’s credit rating
(listed A-H); the number of active accredit lines; whether the person is a
credit card user; if they own or rent their home; the type of home the
person lives in; marital status; the number of children a person has; how
many children are in the home; occupational details; education; net worth;
and total household income.

In addition, some records indicate a person’s political donations,
including fields denoting conservative donations, liberal donations, or
general political causes.

Other fields list personal donations (i.e. veteran’s charities, local
community charities, healthcare charities, international charities, animal
charities, arts or culture charities, children’s charities); and financial
investments (foreign and domestic, including personal investments, stocks
and bonds, or real estate).

There are travel indicators too, including fields for people who travel
internationally, and fields for those who visit casinos. Finally, the
profiles indicate buying preferences, such as if a person is into home
gardening, or has recently purchased auto parts.

Some of the information in the collected records was provided directly to
the data broker by the individual at some point. But data brokers who offer
data enrichment programs use a mix of opt-in details and sourced
information. It’s legal for them to collect, store, and share this
information, provided they comply with various data regulations.
Impact:

Commercially, while data brokers have learned to navigate the various data
privacy laws, such as SB1386 and FCRA, now that this data is out there –
it’s fair game and available for anyone to use. While some of this data
might have previously required permission before it could be used, that’s
no longer the case with this data set.

Salted Hash reached out to J. Tate, CISO of bits&digits, a counter and
social intelligence agency with headquarters in Germany and Columbia, SC,
about the data that’s currently up for grabs. He said sets such as this one
have reached a level of social desensitization that is dangerous.

“Not placing the necessary importance on your digital identity and
collected marketing insights is one of the worst habits one can have,” Tate
said.

“The information collected in this trove, no matter which data-broker or
marketing enrichment system it came from is now in the hands of people that
you will never know. What uses they provide to both marketers and nefarious
scam artist are endless. This is my biggest concern, the data sets that are
popping up around the world are not secured as regulation mandates, are
providing easy to access credentials and intelligence points to facilitate
complex identity fraud, human trafficking and money laundering operations
across the globe.”

As far as criminal elements go, the data contained in this database is an
identity thief’s dream. Moreover, a list such as this allows a criminal to
target high-value targets in a given area, based on net worth, travel
habits, or supported cause.

Kidnapping is a certain possibility for anyone that has a household income
of ‘S’( $250,000+) or a net worth of ‘I’ ($499,999+), especially if they
travel overseas. But there is also the chance that someone could take the
list and create identifications for those that are over the age of 70 and
use them to smuggle people into or out of the country.

On a technical level, anyone within the data set that uses the collected
data for knowledge-based authentication is exposed, but it’s also the case
that this data can be used to gain access to such information indirectly.
Moreover, the data holds enough information to develop a sustained Phishing
campaign, which could open the door to numerous other crimes.

“This data set alone (and there are many more) tells us who makes more than
$100,000 a year in a given zip code and address; what allergies each member
may have; how many home loans they have taken out in 15 years; how many
pets; how often they shop; and about 80 other attributes. Until we start
taking our data seriously, how can we expect the companies that barter and
sell it to?” asked Tate, during a recent email conversation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161213/919ca52a/attachment.html>