Another Massive Credit Reporting Database Breached By Criminals

from the 'opting-in'-by-existing dept

Lots of companies like gathering lots of data. Many do this without explicit permission from the people they're collecting from. They sell this info to others. They collect and collect and collect and it's not until there's a problem that many people seem to feel the collection itself is a problem.

The Equifax breach is a perfectly illustrative case. Lenders wanted a service that could rate borrowers quickly to determine their trustworthiness. This required a massive amount of data to be collected from numerous creditors, along with personally-identifiable information to authenticate the gathered data. The database built by Equifax was a prime target for exploitation. That this information would ultimately end up in the hands of criminals was pretty much inevitable.

But Equifax isn't the only credit reporting service collecting massive amounts of data but failing to properly secure it. TransUnion not only collects a lot of the same information, but it sells access to cops, lenders, private investigators, landlords… whoever might want to do one-stop shopping for personal and financial data. This includes criminals, because of course it does.

From January to June 2018, seven members of [Tony] Da Boss’ gang pleaded guilty to various identity theft charges. In total they had caused about $1.2 million in damage, using stolen identities to buy luxury cars and iPhones and to lease apartments in Charlotte. Both they and their crimes would have been quickly forgotten as garden variety larceny were it not for the way they stole those identities.

Cops alleged Da Boss and his co-conspirators had access to the Holy Grail for any Internet-age scam artist: a surveillance technology that police and debt collectors use to track most of the United States’ 325 million inhabitants via their Social Security numbers, license plates, address histories, names and dates of birth. The mass-monitoring tech, called TLO, is a product of the Chicago-based credit reporting giant TransUnion, which last year had revenues of nearly $1.9 billion. One brochure for the service promises access to a startling amount of personal data drawn from myriad sources: more than 350 million Social Security numbers of dead and living Americans, 225 million employment histories and four billion address records. Add to that billions of vehicle registrations and call records and you have one of the largest commercial surveillance databases in existence.

The only thing surprising about this is that it only resulted in $1.2 million in damage. The database -- originally designed to help hunt down child predators -- promises users a "360-degree profile of virtually any person, business or location in the US." In addition to the wealth of personal and financial data, the database also includes surveillance cam photos and license plate numbers, which makes it even more attractive to government agencies and the occasional criminal.

One of the charged suspects worked for a debt collection firm, selling off personal info to criminals for $100/victim. The rest of the gang's access relied on swiped credentials. TransUnion is making millions authenticating US residents who can't even opt out of its collection. But it's not doing much to ensure only authorized users are accessing its system.

Live by the tech, die by the tech.

In June last year, Postal Service investigator Berkland obtained a warrant ordering Google to hand over all the data related to [the gang's Nest] cameras. The company complied, shipping surveillance footage back, along with personal details of its owners. It’s the first known case in the United States in which a federal law enforcement agency has demanded information from a Nest provider, and it has obvious implications for anyone who has purchased a smart home appliance that contains a camera or a microphone.

Unhappily, TransUnion told Forbes this wasn't the first time criminals have gained access to its TLO database. And it certainly won't be the last, either. The privacy and security of Americans is in the hands of companies who collect this information without their permission and which can seldom be bothered to treat this massive stash of personal info with the respect it deserves.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, credit, database, tlo, tony da boss
Companies: transunion


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    ECA (profile), 17 Oct 2018 @ 11:11am

    Equifax

    FUNNY..
    as I got a nice mail for Dish..and decided to ask them to QUIT sending me this crap..
    I looked up the fine print and to be removed for the mailing list..
    I had to call EQUIFAX..

    Nuff said.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Oct 2018 @ 11:22am

      Re: Equifax

      When a business does this while including a pre-paid envelope
      .... you know what to do.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Oct 2018 @ 1:11pm

        Re: Re: Equifax

        When a business does this while including a pre-paid envelope .... you know what to do.

        Do they still do that? It was fun for a while, and then all the postal spammers targeting me stopped including reply envelopes. And of course they're sending it at bulk rates so "return to sender" won't work.

        link to this | view in chronology ]

  • identicon
    Pixelation, 17 Oct 2018 @ 11:40am

    Time to sue them for damages from the identity theft. I suppose it would be helpful if a senator had their identity stolen because of it.

    To be a bit pedantic, should it be called identity THEFT? It's not really taken. More like copied.

    link to this | view in chronology ]

    • icon
      Stephen T. Stone (profile), 17 Oct 2018 @ 11:50am

      Re:

      A better term would be “identity fraud”, but banks and other institutions prefer “identity theft” because it implictly puts the blame on the victim for having their identity “stolen” rather than the institutions being defrauded for not doing due diligence to prevent the fraud.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Oct 2018 @ 12:49pm

        Re: Re:

        Gaslighting on a global scale, and this huge multi billion dollar industry is just too important so this will continue unabated.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 17 Oct 2018 @ 1:02pm

          Re: Re: Re:

          Nah. It is the consumer's fault for not reading the 12,000 page EULA where it details that the company is not responsible for the information the user enters into its database and that if the user does not want its personal information in the company's database, it just has to choose to do no business with the company, any of its affiliates, or any vendor affiliated with one of those affiliates. Simple really. It is the consumer's fault for storing such sensitive information in easily hackable databases.

          link to this | view in chronology ]

          • icon
            Stephen T. Stone (profile), 17 Oct 2018 @ 2:35pm

            I can’t give you a “sad but true” vote, so have an Insightful vote instead.

            link to this | view in chronology ]

          • identicon
            Anonymous Coward, 17 Oct 2018 @ 3:41pm

            Re: Re: Re: Re:

            The consumer has no way to opt out of TransUnion or Equifax data collection. Who do we blame now?

            link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 17 Oct 2018 @ 6:47pm

    We have laws punishing parents who let their child out of the house alone.... but not a single one to punish these companies repetitive failures, or to put the burden on them to fix consumers who are being ripped off b/c of their fucked systems.

    These corporations make tons of money from having our data & they treat it like toilet paper leaving citizens to deal with the shit that gets stuck to them.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Oct 2018 @ 6:06am

    break it

    A database is only as good as the Correct data therein. If only there were a way to corrupt data validation...

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.