Long read, but very entertaining(NOT!) There should be an exam after reading, to assure you get the whole thing. ================================ Top US credit bureau reportedly sold social security numbers to Vietnamese scammer One of the top US credit bureaus was scammed into selling social security numbers to a Vietnamese hacker for months, according to a report from Krebs on Security. Experian — one of the three national US credit bureaus — reportedly sold SSNs through its subsidiary, Court Ventures, to Hieu Minh Ngo, who allegedly operated an identity theft service called SuperGet.info. The site also sold drivers license, bank account, and credit card numbers along with other personal data, though its not clear how much of it came from Experian. Ngo has since been indicted in New Hampshire following his entry into the US. The alleged fraudster posed as a private investigator Though Experian holds highly personal information so that it can issue credit reports, it may at times sell that information to other ostensibly discreet parties that offer services such as fraud prevention. By posing as a US-based private investigator in need of such information, Ngo was able to gain access to Experians data through Court Ventures, reports Krebs. But while Court Ventures only discovered the mishap after it was alerted by the US Secret Service, Krebs writes that the company didnt catch odd inconsistencies with Ngos story, such as his monthly payments coming through wire transfers from Singapore. In a statement to Krebs, Experian acknowledges the general details of the report, including that Court Ventures was selling data to Ngo, who appeared to be engaged in illegal activities. Though Experian says that its credit files werent accessed, it doesnt clarify exactly what information was exposed. While Krebs writes that its still unclear if Experian will see any repercussions for its role or potential negligence, it also reports that similar cases have brought about lawsuits from the FTC DATA BROKER BREAKDOWN Meanwhile, it’s not clear what — if any — trouble Experian may face as a result of its involvement in the identity theft scheme. This incident bears some resemblance to a series of breaches at ChoicePoint, a data aggregator that acted as a private intelligence service to government and industry. Beginning in 2004, ChoicePoint suffered several breaches in which personal data on American citizens was accessed by crooks who’d used previously stolen identities to create apparently legitimate businesses seeking ChoicePoint accounts. ChoicePoint was later sued by the U.S. Federal Trade Commission, an action that produced a $10 million settlement — the largest in the agency’s history for a violation of federal privacy law. In 2008, ChoicePoint was acquired by Reed Elsevier, the parent company of data aggregator LexisNexis. Last month, KrebsOnSecurity published an exclusive story showing how the proprietors of an identity theft service that competed with superget.info had hacked into the networks of LexisNexis, as well as data brokers Kroll and Dun & Bradstreet. Avivah Litan, a financial fraud analyst with Gartner Inc., said this latest exposure raises serious questions about U.S. regulators’ capacity to monitor the due care of extremely sensitive consumer data, in accordance with the Fair Credit Reporting Act. Litan said that under 15 U.S.C. 1681b (PDF) credit reporting agencies have strict guidelines regarding to whom they may distribute consumer reports. While the government shutdown certainly affected regulator business in October 2013, where have the regulators been for the last seven years when it comes to protecting sensitive consumer data? Have those efforts been shut down as well? “It’s clear that criminal identity theft organizations are excluded from the list of users with ‘permissible purposes’,” Litan said. ” While the government shutdown certainly affected regulator business in October 2013, where have the regulators been for the last seven years when it comes to protecting sensitive consumer data? Have those efforts been shut down as well?” There are signs that at least some federal regulators may be taking a harder look at the practices of the data broker industry. In an August 2013 keynote speech (PDF) at the Technology Policy Institute’s Aspen Forum, FTC Chairwoman Edith Ramirez said “the time has come for businesses to move their data collection and use practices out of the shadows and into the sunlight. In other words, with big data comes big responsibility. Firms that acquire and maintain large sets of consumer data must be responsible stewards of that information.” Ramirez noted that the FTC can already bring actions under Section 5 of the FTC Act, and that it will continue to be active in punishing data brokers that fail to secure the information they collect. But she said stronger incentives to push firms to safeguard big data must be in place, and that the FTC has urged Congress to give the agency civil penalty authority against companies that fail to maintain reasonable security. “Firms of all sorts are using consumer data in ways that may not just be contrary to consumers’ expectation, but could also be harmful to their interests,” Ramirez said. “This problem is perhaps seen most acutely with data brokers — companies that collect and aggregate consumer information from a wide array of sources to create detailed profiles of individuals. Their success depends on having more and better data than their rivals. The concern is that their mega-databases may contain highly sensitive information. The risk of improper disclosure of sensitive information is heightened because consumers know nothing about these companies and their practices are invisible to consumers.” Last year, the FTC called on data brokers to give consumers access to their information through an easy-to-find, easy-to-use common portal. The agency also supported legislation to give consumers access to, and a right to dispute or suppress, data held by brokers. As it stands, Congress can’t even bring itself to pass a national data breach disclosure law, a relatively nonpartisan legislative effort that has enjoyed broad support from industry leaders for nearly a decade. FTC Chairwoman Ramirez said the agency also issued subpoenas to nine data brokers, seeking information about the nature and sources of the consumer information the data brokers collect; how they use, maintain, and disseminate the information; and the extent to which they allow consumers to access and correct their information or opt out of having their personal information sold. The FTC said it expects to issue a report later this year with its findings.
Posted on: Tue, 22 Oct 2013 22:01:53 +0000
Trending Topics
Recently Viewed Topics
© 2015