Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Experian ID Theft Exposed 200M Consumer Records
Newest First  |  Oldest First  |  Threaded View
pfretty
50%
50%
pfretty,
User Rank: Apprentice
3/18/2014 | 6:05:43 PM
Resolution time
It always amazes me how long it takes organizations to resolve these issues after they realize usually from a third party that something is wrong.  According to the 2013 HP-Ponemon Institute Cost of Cyber Crime report (http://www.hpenterprisesecurity.com/ponemon-study-2013), on average incident resolution takes 32 days, and the average organization deals with 100 plus attacks per year.  Time to change the culture and attitude towards preparing and maintaining a secure front. 

Peter Fretty (j.mp/pfrettyhp)
Michael Endler
100%
0%
Michael Endler,
User Rank: Apprentice
3/12/2014 | 3:23:27 PM
Veil of Secrecy
"In particular, the report accused the nine data brokers under investigation -- including Experian -- of operating 'behind a veil of secrecy.'"

No kidding. I wouldn't be a fan of Experian even if this breach hadn't occurred. Now that it has, I hope more people question the influence these kinds of companies wield.
LeeC216
50%
50%
LeeC216,
User Rank: Apprentice
3/12/2014 | 2:33:05 PM
Re: paper scissors rock.. gambling with your data
gmail addresses are more valuable than facebook email addresses.

Your suggestion that one try all login methods and then guess what data is being mined from each one is just playing paper scissors rock.

There is no valid reason informatin week needs relationship data for a comment.  Given you point out they collect fewer data points with gmail logins, it would argue that the excess collection is unwarranted.

Thus, even if someone agreed with playing paper scissors rock with the logins, information week is collecting data for no valid business reason.

They collect it to mine data.  They are part of the problem, not the solution.

Secondly, the farmed content (rewritten from Brian's article) is now linked on infosec news, and dark reading.  This is how companies hijack content, make it their own, and then propagate it.  That way they essentially take readers away from the original author.  In effect they steal content much like a scrapper site that republishes content.

Of course the business model promises great rewards, but it's all smoke and mirros.  In the aggregate, we are all poorer by such businesses that try to get grandma to buy soap a instead of soap b.

The shocking think to me is the author of the article and infomation week feel no remorse, they don't feel they hae done anything wrong.  They are, as the infamous banker said "doing God's work", so they think.

It's particularly troubling to see these folks clearly viewing themselves as on the side of 'good'.  When put up against the golden rule (do onto others as you would have them do onto you", the information mining and selling our data fails miserably.  Information week doesn't sell it's email addresses, relationships, etc.  They consider that too risky and too valuable.  But they hae no problem with mining data in exchange for posting a comment.  The price to have a voice in the internet era is very very high indeed.  Even if one does not comment, they will mine the page views, so a price to even hear about a story they stole from someone else is quite high.

And that's the great business model of big data.  It's not about actually making a product or creating content, it's about content farming and selling your data.  It's not a sustainable economic model and in the aggregate we all all poorer for it.  Some will get rich if they cash out before the 'big one', but in aggregate, we are all poorer.

 

So no, gmail address instead of facebook is just paper scissors rock.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/12/2014 | 10:40:57 AM
Re: Zero Trust
Interesting take.

On a related note, the Experian Data Breach Resolution service in November issued a report predicting that data breaches and related fraud would incresae, especially as consumers' "breach fatigue" intensified.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
3/12/2014 | 10:34:04 AM
Zero Trust
This is why I didn't sign up for Target's free credit monitoring after Target got breached. I didn't want to volunteer my information to companies like this because they are lousy stewards (not to mention I have serious problems with the whole business model).
rradina
50%
50%
rradina,
User Rank: Apprentice
3/12/2014 | 10:14:44 AM
Re: Numbers
You don't have to login with Facebook on this site.  I use a Google e-mail account.  I don't do much with it but collect spam from various places where I use it as a login.  I never use Facebook as a login, anywhere, period.  If Facebook is required, then I don't login.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/12/2014 | 9:37:22 AM
Re: Numbers
Jim: The short answer is that the database to which Ngo had access contained information on 200 million US consumers. The government has said that Ngo's clients (i.e. criminals) made 3.1 million queries. As of about 2 weeks ago (at the hearing) it wasn't able to say which US citizens had their records accessed, at least not yet. 

During the recent hearing, Ngo said that he couldn't confirm/deny the government's numbers, because he simply didn't know. 

Accordingly, if the government's count is accurate, then 3.1 million queries were made, and many, many more records may have been accessed. But when it comes to data breaches, initial counts can fluctuate wildly (in either direction).

I have a query out to Experian, asking if it can confirm the 3.1 million query number. 

From a security/privacy standpoint, the fact that an ID theft ring gained access over a period of many months to an Experian-run database that contained information on 200 million people is troubling.
LeeC216
75%
25%
LeeC216,
User Rank: Apprentice
3/12/2014 | 1:05:17 AM
Re: Numbers
1) It must be noted that to reply to your comment, I had to 'consent' to having my facebook data mined by infoweek, so let's be clear, they ARE part of the problem, and add one to the list of compromised information. :)

 

2) the numbers don't add up due to a) imprecise estimates b) a request for a record returns a page of records, thus there is a multiplier applied to the requests to get to the result and c) unclear reporting, which is likely due to lack of understanding, time pressure, and grabbing the numbers from Brian's blog instead of doing the math themselves.

 

Unfortunately, the media is part of the problem.  They feel they must repackage the story to add to infoweek 'content' rather than simply linking to it.  This is a similar model to the data brokers who copy the data and pass it around as well.  In the end, there is little 'new' content.  The money is made in repackaging and selling it, as this article does.

The problem of course, is in the aggregate, society loses while the data brokers are like gamblers who use your data as the casino chips.  Given that there is at least a non-zero chance of losing the data, through hacks such as target, or scams such as Experian, or goofs where they publish the data accidentally, and given that there no end date for the gambling, the probability of disaster is certainty.

In the aggregate, there isn't any gain from getting a consumer to buy soap A vs soap B.  In fact, there is a loss.  And given that eventually the whole thing will be compromised it becomes earily similar to the derivatives and leveraged gambling that caused the recent Great Recession.  A few will get rich.. particularly those that build the casino, gamble with your data, and cash in (sell shares to your pension fund).  They will walk away rich.. as the bankers did.

I don't think we learned a darned thing from the financial crisis.  The IT folks think they are smarter than the financial engineers because the IT folks can scale up and leverage more.

It won't end well.

Anyway, the answer to your question is in the many to one ratio of requests to records returned.  As an example, if you put in john smith you get a whole list of john smiths, and you just pick the ones you want (yup, they just let folks browse the info!).. but hey, they are paying customers.. so it's "OK".

..well, now back to blocking informationweek from my fake facebook data.. gotta run!

 

good luck.
Jim Donahue
50%
50%
Jim Donahue,
User Rank: Apprentice
3/11/2014 | 1:46:12 PM
Numbers
I'm not quite following the numbers here. Is it they had access to a database with info on 200M users but only accessed data on 3.1M?


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22392
PUBLISHED: 2021-08-02
There is an Incorrect Calculation of Buffer Size in Huawei Smartphone.Successful exploitation of this vulnerability may cause verification bypass and directions to abnormal addresses.
CVE-2021-22396
PUBLISHED: 2021-08-02
There is a privilege escalation vulnerability in some Huawei products. Due to improper privilege management, a local attacker with common privilege may access some specific files in the affected products. Successful exploit will cause privilege escalation.Affected product versions include:eCNS280_TD...
CVE-2021-22397
PUBLISHED: 2021-08-02
There is a privilege escalation vulnerability in Huawei ManageOne 8.0.0. External parameters of some files are lack of verification when they are be called. Attackers can exploit this vulnerability by performing these files to cause privilege escalation attack. This can compromise normal service.
CVE-2021-22398
PUBLISHED: 2021-08-02
There is a logic error vulnerability in several smartphones. The software does not properly restrict certain operation when the Digital Balance function is on. Successful exploit could allow the attacker to bypass the Digital Balance limit after a series of operations. Affected product versions incl...
CVE-2021-22412
PUBLISHED: 2021-08-02
There is an Integer Overflow Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause random kernel address access.