Another Massive Credit Reporting Database Breached By Criminals
from the 'opting-in'-by-existing dept
Lots of companies like gathering lots of data. Many do this without explicit permission from the people they’re collecting from. They sell this info to others. They collect and collect and collect and it’s not until there’s a problem that many people seem to feel the collection itself is a problem.
The Equifax breach is a perfectly illustrative case. Lenders wanted a service that could rate borrowers quickly to determine their trustworthiness. This required a massive amount of data to be collected from numerous creditors, along with personally-identifiable information to authenticate the gathered data. The database built by Equifax was a prime target for exploitation. That this information would ultimately end up in the hands of criminals was pretty much inevitable.
But Equifax isn’t the only credit reporting service collecting massive amounts of data but failing to properly secure it. TransUnion not only collects a lot of the same information, but it sells access to cops, lenders, private investigators, landlords… whoever might want to do one-stop shopping for personal and financial data. This includes criminals, because of course it does.
From January to June 2018, seven members of [Tony] Da Boss’ gang pleaded guilty to various identity theft charges. In total they had caused about $1.2 million in damage, using stolen identities to buy luxury cars and iPhones and to lease apartments in Charlotte. Both they and their crimes would have been quickly forgotten as garden variety larceny were it not for the way they stole those identities.
Cops alleged Da Boss and his co-conspirators had access to the Holy Grail for any Internet-age scam artist: a surveillance technology that police and debt collectors use to track most of the United States’ 325 million inhabitants via their Social Security numbers, license plates, address histories, names and dates of birth. The mass-monitoring tech, called TLO, is a product of the Chicago-based credit reporting giant TransUnion, which last year had revenues of nearly $1.9 billion. One brochure for the service promises access to a startling amount of personal data drawn from myriad sources: more than 350 million Social Security numbers of dead and living Americans, 225 million employment histories and four billion address records. Add to that billions of vehicle registrations and call records and you have one of the largest commercial surveillance databases in existence.
The only thing surprising about this is that it only resulted in $1.2 million in damage. The database — originally designed to help hunt down child predators — promises users a “360-degree profile of virtually any person, business or location in the US.” In addition to the wealth of personal and financial data, the database also includes surveillance cam photos and license plate numbers, which makes it even more attractive to government agencies and the occasional criminal.
One of the charged suspects worked for a debt collection firm, selling off personal info to criminals for $100/victim. The rest of the gang’s access relied on swiped credentials. TransUnion is making millions authenticating US residents who can’t even opt out of its collection. But it’s not doing much to ensure only authorized users are accessing its system.
Live by the tech, die by the tech.
In June last year, Postal Service investigator Berkland obtained a warrant ordering Google to hand over all the data related to [the gang’s Nest] cameras. The company complied, shipping surveillance footage back, along with personal details of its owners. It’s the first known case in the United States in which a federal law enforcement agency has demanded information from a Nest provider, and it has obvious implications for anyone who has purchased a smart home appliance that contains a camera or a microphone.
Unhappily, TransUnion told Forbes this wasn’t the first time criminals have gained access to its TLO database. And it certainly won’t be the last, either. The privacy and security of Americans is in the hands of companies who collect this information without their permission and which can seldom be bothered to treat this massive stash of personal info with the respect it deserves.
Filed Under: breach, credit, database, tlo, tony da boss
Comments on “Another Massive Credit Reporting Database Breached By Criminals”
as I got a nice mail for Dish..and decided to ask them to QUIT sending me this crap..
I looked up the fine print and to be removed for the mailing list..
I had to call EQUIFAX..
When a business does this while including a pre-paid envelope
…. you know what to do.
Re: Re: Equifax
Do they still do that? It was fun for a while, and then all the postal spammers targeting me stopped including reply envelopes. And of course they’re sending it at bulk rates so "return to sender" won’t work.
Time to sue them for damages from the identity theft. I suppose it would be helpful if a senator had their identity stolen because of it.
To be a bit pedantic, should it be called identity THEFT? It’s not really taken. More like copied.
A better term would be “identity fraud”, but banks and other institutions prefer “identity theft” because it implictly puts the blame on the victim for having their identity “stolen” rather than the institutions being defrauded for not doing due diligence to prevent the fraud.
Re: Re: Re:
Gaslighting on a global scale, and this huge multi billion dollar industry is just too important so this will continue unabated.
Re: Re: Re: Re:
Nah. It is the consumer’s fault for not reading the 12,000 page EULA where it details that the company is not responsible for the information the user enters into its database and that if the user does not want its personal information in the company’s database, it just has to choose to do no business with the company, any of its affiliates, or any vendor affiliated with one of those affiliates. Simple really. It is the consumer’s fault for storing such sensitive information in easily hackable databases.
Re: Re: Re:2
I can’t give you a “sad but true” vote, so have an Insightful vote instead.
Re: Re: Re:2 Re:
The consumer has no way to opt out of TransUnion or Equifax data collection. Who do we blame now?
Re: Re: Re:3 Re:
I think we are supposed to gaslight ourselves.
We have laws punishing parents who let their child out of the house alone…. but not a single one to punish these companies repetitive failures, or to put the burden on them to fix consumers who are being ripped off b/c of their fucked systems.
These corporations make tons of money from having our data & they treat it like toilet paper leaving citizens to deal with the shit that gets stuck to them.
You know how some animals are more equal than others? The same principle applies to “persons.”
A database is only as good as the Correct data therein. If only there were a way to corrupt data validation…