Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Experian ID Theft Exposed 200M Consumer Records
Newest First  |  Oldest First  |  Threaded View
pfretty
pfretty,
 User Rank: Apprentice
3/18/2014 | 6:05:43 PM
Resolution time
It always amazes me how long it takes organizations to resolve these issues after they realize usually from a third party that something is wrong.  According to the 2013 HP-Ponemon Institute Cost of Cyber Crime report (http://www.hpenterprisesecurity.com/ponemon-study-2013), on average incident resolution takes 32 days, and the average organization deals with 100 plus attacks per year.  Time to change the culture and attitude towards preparing and maintaining a secure front. 

Peter Fretty (j.mp/pfrettyhp)
Michael Endler
Michael Endler,
 User Rank: Apprentice
3/12/2014 | 3:23:27 PM
Veil of Secrecy
"In particular, the report accused the nine data brokers under investigation -- including Experian -- of operating 'behind a veil of secrecy.'"

No kidding. I wouldn't be a fan of Experian even if this breach hadn't occurred. Now that it has, I hope more people question the influence these kinds of companies wield.
LeeC216
LeeC216,
 User Rank: Apprentice
3/12/2014 | 2:33:05 PM
Re: paper scissors rock.. gambling with your data
gmail addresses are more valuable than facebook email addresses.

Your suggestion that one try all login methods and then guess what data is being mined from each one is just playing paper scissors rock.

There is no valid reason informatin week needs relationship data for a comment.  Given you point out they collect fewer data points with gmail logins, it would argue that the excess collection is unwarranted.

Thus, even if someone agreed with playing paper scissors rock with the logins, information week is collecting data for no valid business reason.

They collect it to mine data.  They are part of the problem, not the solution.

Secondly, the farmed content (rewritten from Brian's article) is now linked on infosec news, and dark reading.  This is how companies hijack content, make it their own, and then propagate it.  That way they essentially take readers away from the original author.  In effect they steal content much like a scrapper site that republishes content.

Of course the business model promises great rewards, but it's all smoke and mirros.  In the aggregate, we are all poorer by such businesses that try to get grandma to buy soap a instead of soap b.

The shocking think to me is the author of the article and infomation week feel no remorse, they don't feel they hae done anything wrong.  They are, as the infamous banker said "doing God's work", so they think.

It's particularly troubling to see these folks clearly viewing themselves as on the side of 'good'.  When put up against the golden rule (do onto others as you would have them do onto you", the information mining and selling our data fails miserably.  Information week doesn't sell it's email addresses, relationships, etc.  They consider that too risky and too valuable.  But they hae no problem with mining data in exchange for posting a comment.  The price to have a voice in the internet era is very very high indeed.  Even if one does not comment, they will mine the page views, so a price to even hear about a story they stole from someone else is quite high.

And that's the great business model of big data.  It's not about actually making a product or creating content, it's about content farming and selling your data.  It's not a sustainable economic model and in the aggregate we all all poorer for it.  Some will get rich if they cash out before the 'big one', but in aggregate, we are all poorer.

 

So no, gmail address instead of facebook is just paper scissors rock.
Mathew
Mathew,
 User Rank: Apprentice
3/12/2014 | 10:40:57 AM
Re: Zero Trust
Interesting take.

On a related note, the Experian Data Breach Resolution service in November issued a report predicting that data breaches and related fraud would incresae, especially as consumers' "breach fatigue" intensified.
Drew Conry-Murray
Drew Conry-Murray,
 User Rank: Ninja
3/12/2014 | 10:34:04 AM
Zero Trust
This is why I didn't sign up for Target's free credit monitoring after Target got breached. I didn't want to volunteer my information to companies like this because they are lousy stewards (not to mention I have serious problems with the whole business model).
rradina
rradina,
 User Rank: Apprentice
3/12/2014 | 10:14:44 AM
Re: Numbers
You don't have to login with Facebook on this site.  I use a Google e-mail account.  I don't do much with it but collect spam from various places where I use it as a login.  I never use Facebook as a login, anywhere, period.  If Facebook is required, then I don't login.
Mathew
Mathew,
 User Rank: Apprentice
3/12/2014 | 9:37:22 AM
Re: Numbers
Jim: The short answer is that the database to which Ngo had access contained information on 200 million US consumers. The government has said that Ngo's clients (i.e. criminals) made 3.1 million queries. As of about 2 weeks ago (at the hearing) it wasn't able to say which US citizens had their records accessed, at least not yet. 

During the recent hearing, Ngo said that he couldn't confirm/deny the government's numbers, because he simply didn't know. 

Accordingly, if the government's count is accurate, then 3.1 million queries were made, and many, many more records may have been accessed. But when it comes to data breaches, initial counts can fluctuate wildly (in either direction).

I have a query out to Experian, asking if it can confirm the 3.1 million query number. 

From a security/privacy standpoint, the fact that an ID theft ring gained access over a period of many months to an Experian-run database that contained information on 200 million people is troubling.
LeeC216
LeeC216,
 User Rank: Apprentice
3/12/2014 | 1:05:17 AM
Re: Numbers
1) It must be noted that to reply to your comment, I had to 'consent' to having my facebook data mined by infoweek, so let's be clear, they ARE part of the problem, and add one to the list of compromised information. :)

 

2) the numbers don't add up due to a) imprecise estimates b) a request for a record returns a page of records, thus there is a multiplier applied to the requests to get to the result and c) unclear reporting, which is likely due to lack of understanding, time pressure, and grabbing the numbers from Brian's blog instead of doing the math themselves.

 

Unfortunately, the media is part of the problem.  They feel they must repackage the story to add to infoweek 'content' rather than simply linking to it.  This is a similar model to the data brokers who copy the data and pass it around as well.  In the end, there is little 'new' content.  The money is made in repackaging and selling it, as this article does.

The problem of course, is in the aggregate, society loses while the data brokers are like gamblers who use your data as the casino chips.  Given that there is at least a non-zero chance of losing the data, through hacks such as target, or scams such as Experian, or goofs where they publish the data accidentally, and given that there no end date for the gambling, the probability of disaster is certainty.

In the aggregate, there isn't any gain from getting a consumer to buy soap A vs soap B.  In fact, there is a loss.  And given that eventually the whole thing will be compromised it becomes earily similar to the derivatives and leveraged gambling that caused the recent Great Recession.  A few will get rich.. particularly those that build the casino, gamble with your data, and cash in (sell shares to your pension fund).  They will walk away rich.. as the bankers did.

I don't think we learned a darned thing from the financial crisis.  The IT folks think they are smarter than the financial engineers because the IT folks can scale up and leverage more.

It won't end well.

Anyway, the answer to your question is in the many to one ratio of requests to records returned.  As an example, if you put in john smith you get a whole list of john smiths, and you just pick the ones you want (yup, they just let folks browse the info!).. but hey, they are paying customers.. so it's "OK".

..well, now back to blocking informationweek from my fake facebook data.. gotta run!

 

good luck.
Jim Donahue
Jim Donahue,
 User Rank: Apprentice
3/11/2014 | 1:46:12 PM
Numbers
I'm not quite following the numbers here. Is it they had access to a database with info on 200M users but only accessed data on 3.1M?


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file