Cyber Identity theft service sold personal information on US citizens by compromising multinational consumer and business data aggregators

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of US residents has allegedly infiltrated computers at some of America’s largest consumer and business data aggregators, including Dun & Bradstreet according to Krebs on Security. 

If you’re Australian or a resident of other countries where these guys operate, you had better hope that these companies didn’t leak information between their subsidiaries and the main office – because you know that would never ever (cross fingers) happen !!

This looks like a solid investigation by the guys/gals at Krebs. The hackers at the back of this identity theft service didn’t exfiltrate data from their targets wholesale, they just compromised the targets and allowed their customers to directly query information and charged them between 50c and $2.50 US for personal records and up to $15 for credit checks – via Bitcoin or Webmoney of course!

Compromised systems accessed through the criminal service seem to include

Importantly, the compromise was probably targeted as much on gaining information about companies to take out fraudulent loans  on them according to a Gartner analyst. If a criminal can masquerade as a large company, they can take out a much larger loan on their behalf than they could on all but the richest people.

This may take a little while to play out, but it is likely to have an impact on legislative requirements for information security by data aggregator firms. By their very nature, they hold aggregated data from millions of customers. Each piece of data requires protections, together the data becomes far more valuable and therefore a greater target for cyber criminals and foreign espionage. How we deal with aggregation remains one of the keys to the risk based handling of big data.