This week, security reporter Brian Krebs uncovered the story of how Experian, one of the three major credit bureaus, unwittingly sold its data to an identity theft outfit. Brooke talks to Krebs about how he discovered this significant breach.
BROOKE GLADSTONE: Let’s just stipulate that our personal information - where we go, what we do, what we buy - is the currency of the Internet. Brokering that data is a billion-dollar business, the stock in trade of companies, both legitimate and not, companies that sell your Social Security numbers, bank routing numbers, right down to your mother's maiden name, so that your identity can be easily, profitably stolen. Brian Krebs reports on security news at his website, krebsonsecurity.com. This week, he uncovered the story of how Experian, one of the three major credit bureaus, a massive repository of millions of people's financial history, unwittingly sold its data to an outfit that facilitates identity theft. It's a complicated story, starting with some strange codes attached to stolen data Krebs got from an identity theft outfit called Superget.info. Those codes were ultimately traced to a legitimate date brokerage firm called U.S. Info Search. And I’ll let Brian pick it up from there.
BRIAN KREBS: Well, I called up the CEO of U.S. Info Search and he said he’d been contacted by the US Secret Service and that Federal agents were investigating Experian as the source of this information. The CEO of U.S. Info Search explained that his firm had struck an information-sharing agreement with another data aggregator, the company called Court Ventures.
BROOKE GLADSTONE: So how is Court Ventures connected?
BRIAN KREBS: Well, Court Ventures was acquired by Experian in early 2012 because of their extensive consumer database. And, at some point, the guys running this Superget.info identity theft site posed as a private investigator in the US, looking up records, via Court Ventures, aka, Experian.
BROOKE GLADSTONE: Mm-hmm.
BRIAN KREBS: And he also told me that they routinely paid for the [LAUGHS] information that they were looking up, using wire transfers from Singapore.
BROOKE GLADSTONE: Most people don't pay that way.
BRIAN KREBS: [LAUGHS] Most people don’t pay via wire transfers and they certainly don’t come from Singapore, particularly if they’re supposed to be a legitimate US organization. This should have thrown up some big red flags for Experian.
BROOKE GLADSTONE: So how do we know that these crooks used Experian’s data?
BRIAN KREBS: I don't have enough data at this point to say definitively that they didn’t because, frankly, Experian has declined to offer much information. There has to be another way of getting these companies to divulge information about their information-collection practices and what sort of access consumers actually have to the information that’s being collected about them. The majority of Americans, unless they have a problem with their credit or they have, God forbid, an identity theft problem, they probably don't have a reason to interact with companies like Experian. They probably don't even know that companies like Experian are collecting their information.
BROOKE GLADSTONE: Last year, the FTC called on data brokers to give consumers access to their own information through an easy- to-use common portal. How did that work out? And what else is the FTC trying to do?
BRIAN KREBS: [LAUGHS] Well, that hasn’t worked out so well. There, there have been a couple of data brokers that have put up pages on their sites that allow people to remove their information or to opt out of having their information. But the processes involved are so onerous that very few people are going to undertake them. You have to get signed copies or notarized copies of different documents. You have to basically send them every piece of information about you that they may not already have and hope that at the end of the day they’re gonna follow through on that request in a timely way.
BROOKE GLADSTONE: Is there a requirement that these data companies at least tell us when they’ve been breached?
BRIAN KREBS: Yes, there are laws on the books in 48 states and the District of Columbia that generally require companies that hold information on US consumers to provide notice to those consumers if their information has been compromised.
BROOKE GLADSTONE: This is weird, 48 states, but it's not a national law.
BRIAN KREBS: This is one of my biggest pet peeves here, Brooke. It’s hard to find a security issue that is more bipartisan and has more support from the technology community at large than the push to enact a national data breach disclosure law. They’ve been asking for this for almost a decade now, and Congress hasn't seen fit to put whatever effort they need to put into it to actually pass this law, let alone get into additional privacy protections for consumers. I think the real story here is that all of the information that makes up who you are, as far as creditors are concerned, it’s all for sale, either by these data brokers or by crooks who are running these types of identity theft services. How do we get past using these things that are supposed to be private, you know, SSN, mother’s maiden name, etc., as de facto identifiers, right, because they're not private anymore? [LAUGHS] And anybody who pretends they are hasn’t been paying attention to what's been going on in the last couple of years.
BROOKE GLADSTONE: Thank you, Brian.
BRIAN KREBS: Thank you very much.
BROOKE GLADSTONE: Brian Krebs does his investigations at Krebsonsecurity.com.