Celeb Data Breach Traced To Credit Reporting Site

Tiger Woods and Mitt Romney are latest to see personal financial details published; credit agencies confirm hackers took data from AnnualCreditReport.com.

Mathew J. Schwartz, Contributor

March 13, 2013

5 Min Read

Anonymous: 10 Things We Have Learned In 2013

Anonymous: 10 Things We Have Learned In 2013

Anonymous: 10 Things We Have Learned In 2013 (click image for larger view and for slideshow)

Experian, Equifax and TransUnion, the country's three biggest credit-reporting agencies, have confirmed that hackers fraudulently obtained copies of credit reports for celebrities and government officials.

"We are aware of recent media reports pertaining to unauthorized access to files belonging to high-profile individuals," read a statement released Tuesday by Equifax. "Equifax can confirm that fraudulent and unauthorized access to four consumer credit reports has occurred."

The information had allegedly been obtained via AnnualCreditReport.com, which was created in 2003 after Congress passed legislation requiring that each of the three credit bureaus offer -- to the approximately 200 million consumers whose information they track -- a free annual copy of their credit report. According to the Consumer Financial Protection Bureau, the service is used annually used by 16 million consumers.

According to a statement released by TransUnion, whoever obtained the credit reports would have had to provide a social security number as well as "considerable amounts" of personal information to trick the system into generating a credit report.

[ For more on recent high-profile information breaches, see Hackers Appear To Target Michelle Obama, FBI Director. ]

By Wednesday, the list of people who'd been "doxed" by having their personal financial details published to a website called Exposed.su included professional golfer Tiger Woods, U.S. Marshals Service director Stacia Hylton, and former presidential candidate Mitt Romney. This is in addition to the information published Monday and Tuesday pertaining to first lady Michelle Obama, Vice President Joe Biden, FBI director Robert Mueller, Attorney General Eric Holder and Los Angeles Police Department (LAPD) chief Charlie Beck, as well as celebrities Arnold Schwarzenegger, Beyonce, Jay-Z, Kim Kardashian and Paris Hilton.

A counter on Exposed.su showed that by Wednesday the website had been viewed nearly half a million times. According to statements released by Experian, Equifax and TransUnion, at least some of the information on the site -- which includes phone numbers, addresses and credit history -- is accurate.

President Obama Tuesday told ABC News that authorities are investigating the alleged breach. "We should not be surprised that if you've got hackers that want to dig in and devote a lot of resources, that they can access this information," Obama said. "Again, not sure how accurate but ... you've got websites out there that tell people's credit card info. That's how sophisticated they are."

Officials at the FBI and the U.S. Secret Service, reached by phone Tuesday, said that both of their agencies had begun related investigations. Likewise, the Los Angeles Police Department is investigating the disclosure of information relating to chief Charlie Beck, as well as any affected people inside their jurisdiction who request an investigation.

The information used by attackers to access the credit reports for Los Angeles Police Department officials -- involving social security numbers and some types of personal information -- was likely taken from a supposedly secure city employee database, according to Frank Preciado, assistant officer in charge at the LAPD online section, reported Politico.

Los Angeles police commander Andrew Smith, in a press conference, noted that it wasn't the first time that information about LAPD officials has been published online. "People get mad at us, go on the Internet and try to find information about us, and post it all on one site," he said. But as for this recent round of breaches, he said, "It's a creepy thing to do."

Who's responsible for creating the Exposed.su website? So far, that's not clear, though what's interesting is the choice of top-level domain name -- .su -- which refers to the Soviet Union, and which can still be used to register sites. "Using a .su domain to host tells me these guys probably weren't that stupid -- this is a statement not a prank I think," said the threat intelligence manager for Trustwave SpiderLabs, who goes by "Space Rogue," on Twitter.

Likewise, it's not clear how the site's administrator obtained the credit reports. "Many questions remain as to whether this was a straightforward hack, or if the hackers were able to gain unauthorized access to the data via other means," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "One possibility is that the hackers were able to scoop information up off the net about particular individual public figures, and then use that to successfully impersonate their targets and access credit histories."

More evidence that whoever is behind the site knows what they're doing came via an error page on the Exposed.su website, which revealed that the site's administrator had signed up for CloudFlare, which helps keep sites online in the event of heavy amounts of page browsing or even some types of distributed denial-of-service (DDoS) attacks. CloudFlare, interestingly, is no stranger to controversy -- the company chose to continue working with hacktivist group LulzSec in 2011 after the group began publishing information that it had obtained by hacking into Sony's servers. "While we will respect the laws of the jurisdictions in which we operate, we do not believe it is our decision to determine what content may and may not be published," said CloudFlare CEO Matthew Prince in a blog posted at the time. "That is a slippery slope down which we will not tread."

Regardless of how long the doxed financial information remains online -- and the site remained live Wednesday -- the episode has highlighted poor protections offered by restricting access to information based on social security numbers, Marc Maiffret, CTO of BeyondTrust, told U.S.News & World Report. "Pretty much everything comes falling down once you have a social security number," he said. "Once somebody has that, the person has the keys to everything."

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights