On March 12 the Secret Service and FBI confirmed that they are looking into a website that posted personal information of First Lady Michelle Obama, Vice President Joe Biden and more than a dozen celebrities and politicians. The site lists social security numbers, phone numbers, addresses, and even credit reports, information that exposes them to identity theft and personal security issues.
The Equifax credit bureau also confirmed Tuesday March 12 that criminals have stolen credit reports from AnnualCreditReport.com, the website designed to allow consumers free access to their own credit reports.
The theft suggests criminals have outfoxed AnnualCreditReport.com’s defenses, wrote Bob Sullivan of NBC News, potentially giving them access to potentially 200 million Americans’ credit reports. According to the Consumer Financial Protection Bureau, 16 million consumers use AnnualCreditReport.com annually.
In order to access a personal file on this website individuals must answer a series of "out-of-wallet" multiple choice challenge questions, information that had to have been culled from social media sites or bought in underground markets. Questions might include: What of these high schools did you graduate from? or Have you ever lived on any of these four streets?
TransUnion and Experian also confirmed unauthorized persons had managed to access the credit report data.
"TransUnion’s systems were not hacked or compromised in any way," the firm said in a statement to CNBC. "The sophisticated perpetrators of these fraudulent activities had considerable amounts of information about the victims, including Social Security numbers and other sensitive, personal identifying information that enabled them to successfully impersonate the victims over the Internet in order to illegally and fraudulently access their credit reports. TransUnion is taking steps to assist the individuals affected to help minimize any potential impact. We are conducting our own internal investigation and working closely with law enforcement."
Unfortunately breached reports often end up on hacker sites advertised openly in several cybercrime forums. In most cases, these services are open to all comers and the information is very inexpensive. The only limitation is knowing the site’s current Web address, according to cyber security expert Brian Krebs.
He regularly finds information being sold for prices ranging from 50 cents to $15, depending on the amount and type of information available. While it is not clear where the information comes from, Krebs says that at least some of the lookups appear to have been done manually by people using legitimate access codes to credit report information. Another possibility is that the theft of information from AnnualCreditReport.com has been going on for a while.
The vulnerability of credit-reporting companies, custodians of sensitive personal data from credit card balances to mortgage debts, is gaining greater exposure. Bloomberg News reported in October that Experian was breached 86 times via the accounts of organizations such as banks or auto dealers. In those situations the authorization codes given to vetted companies had been abused.
On March 13 Jay Foley of the ID Theft Info Source told this reporter, “Insider theft of authorized codes will continue to happen, giving thieves a portal to the sensitive information stored in databases. That is a problem that all companies, large or small, need to consider. This is why we continue to advocate strict information storage policies and the compliance of those policies.
"The theft of information from AnnualCreditReport.com is very disturbing. It clearly indicates that the three agencies need to randomize their challenge questions and each use a different set of questions.”