by Tim Cushing

Filed Under:
breach, credit, database, tlo, tony da boss


Another Massive Credit Reporting Database Breached By Criminals

from the 'opting-in'-by-existing dept

Lots of companies like gathering lots of data. Many do this without explicit permission from the people they're collecting from. They sell this info to others. They collect and collect and collect and it's not until there's a problem that many people seem to feel the collection itself is a problem.

The Equifax breach is a perfectly illustrative case. Lenders wanted a service that could rate borrowers quickly to determine their trustworthiness. This required a massive amount of data to be collected from numerous creditors, along with personally-identifiable information to authenticate the gathered data. The database built by Equifax was a prime target for exploitation. That this information would ultimately end up in the hands of criminals was pretty much inevitable.

But Equifax isn't the only credit reporting service collecting massive amounts of data but failing to properly secure it. TransUnion not only collects a lot of the same information, but it sells access to cops, lenders, private investigators, landlords… whoever might want to do one-stop shopping for personal and financial data. This includes criminals, because of course it does.

From January to June 2018, seven members of [Tony] Da Boss’ gang pleaded guilty to various identity theft charges. In total they had caused about $1.2 million in damage, using stolen identities to buy luxury cars and iPhones and to lease apartments in Charlotte. Both they and their crimes would have been quickly forgotten as garden variety larceny were it not for the way they stole those identities.

Cops alleged Da Boss and his co-conspirators had access to the Holy Grail for any Internet-age scam artist: a surveillance technology that police and debt collectors use to track most of the United States’ 325 million inhabitants via their Social Security numbers, license plates, address histories, names and dates of birth. The mass-monitoring tech, called TLO, is a product of the Chicago-based credit reporting giant TransUnion, which last year had revenues of nearly $1.9 billion. One brochure for the service promises access to a startling amount of personal data drawn from myriad sources: more than 350 million Social Security numbers of dead and living Americans, 225 million employment histories and four billion address records. Add to that billions of vehicle registrations and call records and you have one of the largest commercial surveillance databases in existence.

The only thing surprising about this is that it only resulted in $1.2 million in damage. The database -- originally designed to help hunt down child predators -- promises users a "360-degree profile of virtually any person, business or location in the US." In addition to the wealth of personal and financial data, the database also includes surveillance cam photos and license plate numbers, which makes it even more attractive to government agencies and the occasional criminal.

One of the charged suspects worked for a debt collection firm, selling off personal info to criminals for $100/victim. The rest of the gang's access relied on swiped credentials. TransUnion is making millions authenticating US residents who can't even opt out of its collection. But it's not doing much to ensure only authorized users are accessing its system.

Live by the tech, die by the tech.

In June last year, Postal Service investigator Berkland obtained a warrant ordering Google to hand over all the data related to [the gang's Nest] cameras. The company complied, shipping surveillance footage back, along with personal details of its owners. It’s the first known case in the United States in which a federal law enforcement agency has demanded information from a Nest provider, and it has obvious implications for anyone who has purchased a smart home appliance that contains a camera or a microphone.

Unhappily, TransUnion told Forbes this wasn't the first time criminals have gained access to its TLO database. And it certainly won't be the last, either. The privacy and security of Americans is in the hands of companies who collect this information without their permission and which can seldom be bothered to treat this massive stash of personal info with the respect it deserves.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  • icon
    ECA (profile), 17 Oct 2018 @ 11:11am


    as I got a nice mail for Dish..and decided to ask them to QUIT sending me this crap..
    I looked up the fine print and to be removed for the mailing list..
    I had to call EQUIFAX..

    Nuff said.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Oct 2018 @ 11:22am

      Re: Equifax

      When a business does this while including a pre-paid envelope
      .... you know what to do.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Oct 2018 @ 1:11pm

        Re: Re: Equifax

        When a business does this while including a pre-paid envelope .... you know what to do.

        Do they still do that? It was fun for a while, and then all the postal spammers targeting me stopped including reply envelopes. And of course they're sending it at bulk rates so "return to sender" won't work.

        reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 17 Oct 2018 @ 11:40am

    Time to sue them for damages from the identity theft. I suppose it would be helpful if a senator had their identity stolen because of it.

    To be a bit pedantic, should it be called identity THEFT? It's not really taken. More like copied.

    reply to this | link to this | view in chronology ]

    • icon
      Stephen T. Stone (profile), 17 Oct 2018 @ 11:50am


      A better term would be “identity fraud”, but banks and other institutions prefer “identity theft” because it implictly puts the blame on the victim for having their identity “stolen” rather than the institutions being defrauded for not doing due diligence to prevent the fraud.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Oct 2018 @ 12:49pm

        Re: Re:

        Gaslighting on a global scale, and this huge multi billion dollar industry is just too important so this will continue unabated.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 17 Oct 2018 @ 1:02pm

          Re: Re: Re:

          Nah. It is the consumer's fault for not reading the 12,000 page EULA where it details that the company is not responsible for the information the user enters into its database and that if the user does not want its personal information in the company's database, it just has to choose to do no business with the company, any of its affiliates, or any vendor affiliated with one of those affiliates. Simple really. It is the consumer's fault for storing such sensitive information in easily hackable databases.

          reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 17 Oct 2018 @ 6:47pm

    We have laws punishing parents who let their child out of the house alone.... but not a single one to punish these companies repetitive failures, or to put the burden on them to fix consumers who are being ripped off b/c of their fucked systems.

    These corporations make tons of money from having our data & they treat it like toilet paper leaving citizens to deal with the shit that gets stuck to them.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Oct 2018 @ 6:06am

    break it

    A database is only as good as the Correct data therein. If only there were a way to corrupt data validation...

    reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories


Email This

This feature is only available to registered users. Register or sign in to use it.