Hackers may have compromised the networks of data aggregators that compile information on businesses and individuals.
What is more troubling is speculation that the confidential information could have been sold online.
At the center of the controversy is a website called ssndob.ms (SSNDOB). It sells Social Security numbers, birth records, credit cards, and background reports.
Hackers, perhaps connected to the UGNazi group, in March used the site to get confidential information on Beyonce, Kanye West, First Lady Michelle Obama, and CIA Director John Brennan.
Image via Shutterstock
As a result, Equifax, Experian and Trans Union confirmed their systems were breached apparently by tricks.
Looking at the circumstances for seven months, KrebsOnSecurity examined the SSNDOB database and alleged they are running a "small but very potent botnet."
The SSNDOB operators had “infiltrated” at least five infected systems at U.S. consumer and business aggregators, according to the Krebs report.
Among those impacted are: LexisNexis, a database of legal and public record information; Dun & Bradstreet (News - Alert); and a business that does background checks, formerly called Kroll Background America and now part of HireRight.
In the summer, SSNDOB “was compromised by multiple attackers, its own database plundered,” Krebs adds.
“All three victim companies said they are working with federal authorities and third-party forensics firms in the early stages of determining how far the breaches extend, and whether indeed any sensitive information was accessed and exfiltrated from their networks,” Krebs reported. The FBI confirmed it is investigating the case.
The incident raises some troubling questions.
“The entire identity theft and fraud industry can't be blamed on data aggregators. But the security breaches identified by Krebs and in the past suggest that there is a real danger in collecting all of this personal information in one place. It's a very attractive target to bad guys,” warns a recent report from The Washington Post.
The problem is widespread. Over 12 million Americans experienced identity theft, according to a 2012 survey, Cisco (News - Alert) said in a recent blog post.
The blog post reminds consumers that in fact they don’t control personally identifiable information (PII). It is controlled by federal, state, and local government agencies, employers, medical providers, and financial service providers, according to the blog post. For businesses, FBI Director Robert Mueller claimed businesses have either been hacked and or will be hacked.
In addition, payment card and bank account details are in demand among criminals. ATMs, gas pumps, and POS/PED systems are just some of the likely locations for theft of PII, the blog post said. In addition, businesses even are selling PII in legal transactions. It does not help that many consumers use the same password for different online accounts.
Here are some tips from the Cisco blog post. Look for new and suspicious credit lines on credit reports at least once year. Use a credit lock. Ask for profile deletion from online aggregators. Use a password manager. And try not to provide PII to third parties.
Edited by Alisen Downey