Millions of ID records on sale as five big data firms hacked “for months”

An “identity theft service” which specialises in selling personal details gained access to some of the biggest consumer data firms in America, including Lexis Nexis and Kroll – and has had access to their computer systems “for months”, according to a report.

The site stole 3.1 million date-of-birth records and over a million social security numbers – and offered data on famous Americans including Michelle Obama, Beyonce and the director of the CIA. The breach was uncovered in a long investigation by security expert Brian Krebs, and reported on Krebs on Security.
Krebs’s report related to a website –  ssndob[dot]ms – which Krebs said had been offering personal data on any U.S. resident for two years, including addressses, birth dates, and credit and background checks, with prices ranging from 50c to $15.
Krebs said that until now, many had been puzzled where this data came from.

“The miscreants behind this ID theft service controlled at least five infected systems at different U.S.-based consumer and business data aggregators,” Krebs writes. “Last month, an analysis of the networks, network activity and credentials used by SSNDOB administrators indicate that these individuals also were responsible for operating a small but very potent botnet — a collection of hacked computers that are controlled remotely by attackers.

“This botnet appears to have been in direct communications with internal systems at several large data brokers in the United States.”
Krebs claims that the botnet had access to five servers, two at Lexis-Nexis, and two at Dun and Bradstreet, as well as another server at Altegrity, which provides an employee-screening service called HireRight, according to Information Age.
The firms say they are investigating, according to Krebs.
Infosecurity quoted statements made by Gartner analyst Avivah Litan three years ago regarding the availability of information such as birth dates and social security numbers to criminals, saying, “”I have had a hard time figuring out how so many crooks have been so easily able to answer these questions successfully, when even the legitimate users have such a tough time remembering the right answers to them.”

According to Infosecurity, Latan suggested that data firms were being “phished” to provide data as the basis for ID theft. “They simply get access to these employees accounts and get the keys to the data treasures,” Latan said, “They can look up anything that is known about any of us, and armed with that information they can bypass most knowledge based authentication systems and processes based on external data from public data aggregators and the credit bureaus.”