Another Massive Credit Reporting Database Breached By Criminals

from the 'opting-in'-by-existing dept

Lots of companies like gathering lots of data. Many do this without explicit permission from the people they’re collecting from. They sell this info to others. They collect and collect and collect and it’s not until there’s a problem that many people seem to feel the collection itself is a problem.

The Equifax breach is a perfectly illustrative case. Lenders wanted a service that could rate borrowers quickly to determine their trustworthiness. This required a massive amount of data to be collected from numerous creditors, along with personally-identifiable information to authenticate the gathered data. The database built by Equifax was a prime target for exploitation. That this information would ultimately end up in the hands of criminals was pretty much inevitable.

But Equifax isn’t the only credit reporting service collecting massive amounts of data but failing to properly secure it. TransUnion not only collects a lot of the same information, but it sells access to cops, lenders, private investigators, landlords… whoever might want to do one-stop shopping for personal and financial data. This includes criminals, because of course it does.

From January to June 2018, seven members of [Tony] Da Boss’ gang pleaded guilty to various identity theft charges. In total they had caused about $1.2 million in damage, using stolen identities to buy luxury cars and iPhones and to lease apartments in Charlotte. Both they and their crimes would have been quickly forgotten as garden variety larceny were it not for the way they stole those identities.

Cops alleged Da Boss and his co-conspirators had access to the Holy Grail for any Internet-age scam artist: a surveillance technology that police and debt collectors use to track most of the United States’ 325 million inhabitants via their Social Security numbers, license plates, address histories, names and dates of birth. The mass-monitoring tech, called TLO, is a product of the Chicago-based credit reporting giant TransUnion, which last year had revenues of nearly $1.9 billion. One brochure for the service promises access to a startling amount of personal data drawn from myriad sources: more than 350 million Social Security numbers of dead and living Americans, 225 million employment histories and four billion address records. Add to that billions of vehicle registrations and call records and you have one of the largest commercial surveillance databases in existence.

The only thing surprising about this is that it only resulted in $1.2 million in damage. The database — originally designed to help hunt down child predators — promises users a “360-degree profile of virtually any person, business or location in the US.” In addition to the wealth of personal and financial data, the database also includes surveillance cam photos and license plate numbers, which makes it even more attractive to government agencies and the occasional criminal.

One of the charged suspects worked for a debt collection firm, selling off personal info to criminals for $100/victim. The rest of the gang’s access relied on swiped credentials. TransUnion is making millions authenticating US residents who can’t even opt out of its collection. But it’s not doing much to ensure only authorized users are accessing its system.

Live by the tech, die by the tech.

In June last year, Postal Service investigator Berkland obtained a warrant ordering Google to hand over all the data related to [the gang’s Nest] cameras. The company complied, shipping surveillance footage back, along with personal details of its owners. It’s the first known case in the United States in which a federal law enforcement agency has demanded information from a Nest provider, and it has obvious implications for anyone who has purchased a smart home appliance that contains a camera or a microphone.

Unhappily, TransUnion told Forbes this wasn’t the first time criminals have gained access to its TLO database. And it certainly won’t be the last, either. The privacy and security of Americans is in the hands of companies who collect this information without their permission and which can seldom be bothered to treat this massive stash of personal info with the respect it deserves.

Filed Under: , , , ,
Companies: transunion

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Another Massive Credit Reporting Database Breached By Criminals”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re: Re: Re:

Nah. It is the consumer’s fault for not reading the 12,000 page EULA where it details that the company is not responsible for the information the user enters into its database and that if the user does not want its personal information in the company’s database, it just has to choose to do no business with the company, any of its affiliates, or any vendor affiliated with one of those affiliates. Simple really. It is the consumer’s fault for storing such sensitive information in easily hackable databases.

That Anonymous Coward (profile) says:

We have laws punishing parents who let their child out of the house alone…. but not a single one to punish these companies repetitive failures, or to put the burden on them to fix consumers who are being ripped off b/c of their fucked systems.

These corporations make tons of money from having our data & they treat it like toilet paper leaving citizens to deal with the shit that gets stuck to them.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...