The scary thing about large commercial data brokers, other than their collection of your personal information without your permission, is the possibility that their enormous hoards of data can be stolen. Despite all promises of care and security, hacks happens. Privacy advocates always warn about this when discussions about large-scale digital tracking come up — what if the NSA were hacked? — and those concerns are routinely dismissed by the data hoarders as scare-mongering.
Guess who was right?
Brian Krebs has a remarkable story up today, the culmination of a seven-month investigation, in which he reveals that criminals have had their way with data from huge data brokers like Lexis-Nexis for a least several months. Criminals worldwide have downloaded 1 million Social Security numbers, 3 million birth dates, and countless other data points from these firms. The computer criminals who broke in acted as a sort of Google for 1,300 “customers” who were trying to gather dossier information on potential ID theft victims. In many cases, the customers weren’t looking for traditional financial information; they wanted answers to “knowledge-based authentication” questions that stood between them and a transaction — answers to familiar, annoying questions like “which of these firms holds your mortgage?” or “which street have you lived on?”
The firms will investigate, they will improve their security, they will reassure customers. But they will continue to keep and earn money off your data without your permission.