September 25, 2013, 7:35 PM — Today, Krebs on Security revealed that identity thieves have gained access to the databases of three of the biggest data mining companies on the planet.
LexisNexis, Dunn & Bradstreet, and Kroll Background America Inc have been systematically plundered by hackers, most likely from Eastern Europe, who have stolen millions of personal and business records and are selling them on the Internet black market.
A site called SSNDOB has been selling names, social security numbers, birthdates, and more culled from these sites via a botnet attack last spring. According to Brian Krebs, you could buy a credit report from the site on anyone for just $15. A background check would run you $12; a drivers license record $4, and assorted other bits of highly personal info costs 50 cents to $1.50 per.
Image courtesy of Krebs on Security
How bad was this breach? Krebs writes:
A closer examination of the database for the identity theft service shows it has served more than 1.02 million unique SSNs to customers and nearly 3.1 million date of birth records since its inception in early 2012. Thousands of background reports also have been ordered through SSNDOB.
Is your personal info among the records that have been stolen? There is no way of knowing. The only thing you can do is to start keeping a close eye on your credit accounts; order the free annual credit report from each of the big three firms (Experian, Equifax, Transunion), and put a credit monitor on it to alert you if someone else tries to create a new account using your information.
The worse part of this, notes Krebs, is that identity thieves can use this information to circumvent security safeguards put in place by banks – most of which involve asking detailed questions about your accounts that supposedly only you would be able to answer. By gaining access to full credit reports – and Dunn & Bradstreet’s business account records – an attacker could impersonate virtually anyone flawlessly.
So what are these data brokers doing to make their databases more secure? It’s unclear they’re doing much of anything.
Let’s face it. There’s not a lot of incentive for these companies to do what’s necessary to lock down this data. Sure, they’ll take a small hit to their reputations, spend some money cleaning up the mess (usually after being ordered to pay for credit monitoring services), and then continue to do business as usual.