40 Million Identities Up For Sale On the Web 245
An anonymous reader writes "Highly sensitive financial information, including credit card details, bank account numbers, telephone numbers, and even PINs are available to the highest bidder. The information being traded on the Web has been intercepted by a British company and collated into a single database for the first time. The Lucid Intelligence database contains the records of 40 million people worldwide, mostly Americans; four million are Britons. Security experts described the database as the largest of its kind in the world. The database is in the hands of Colin Holder, a retired senior Metropolitan police officer who served on the fraud squad. He has collected the information over the past four years. His sources include law enforcement from around the world, such as British police and the FBI, anti-phishing and hacking campaigners, and members of the public. Mr. Holder said he has invested £160,000 in the venture so far. He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."
From one criminal to another. Arrest him. (Score:3, Informative)
Charge with possession with the intent to distribute. I see no difference if he we in possession of 100 kilos of cocaine. What's to stop him from selling peoples information on this list to the highest bidder? Who's going to police the policeman? HIS morals are already in question based on his actions here.
And if he used his own money to invest in this bullshit scheme, thought shit. He should have known better.
Re:Where does a cop get £160,000? (Score:4, Informative)
now he is simply a slimy scammer trading in stolen goods. The man is a disgrace.
Or possibly an MP.
Same thing.
Re:splitting hairs (Score:5, Informative)
The UK DPA also requires that he have a legitimate reason to hold this data in the first place, which would be either a direct customer relationship, or a third party one like a credit reference agency (where the customer gives permission for the third party data-sharing as part of their credit applications). It also requires that he hold it for no longer than strictly necessary for the purposes of said business relationship. The law in question thankfully makes this an explicitly opt-in thing, outside of government no-one can legally collect your data without your permission and then require you to opt out.
Privacy laws in the UK (Score:5, Informative)
I know there are no privacy laws in Britain
Erm... Yes, there are.
If this is what it appears to be, it's a fairly obvious breach of the Data Protection Acts. Indeed, from the TFA:
The Information Commissioner, the data protection watchdog, is monitoring the development of the database. [...] The legality of the database could be put to the test in the coming week. The Information Commissioner's Office said it could not endorse a commercial service or make a ruling on its validity unless someone made a complaint. But the privacy watchdog said it had "provided advice to help the company comply with the principles of the Data Protection Act".
I rather suspect that this advice may have been "Stop. Now." :-)
The database might also fall foul of European human rights legislation that explicitly covers privacy.
Re:If he really wanted to do the right thing... (Score:5, Informative)
I see that this is your first time visiting England.
The police are far too busy tracking down dangerous criminals [theregister.co.uk] to worry about your petty concerns.
Re:Where does a cop get £160,000? (Score:2, Informative)
Sounds like he may have taken the term "fraud squad" in the opposite of the way it is (ostensibly) intended...
You obviously are unfamiliar with what a "fireman" does to books.
Re:Where does a cop get £160,000? (Score:5, Informative)
This will end very badly for him.
Yes because here in the UK we always [independent.co.uk] punish our criminally inclined police . . .
what's actually happening, and the law (Score:3, Informative)
Since there is not much info in TFA or the summary, here's some more.
Colin Holder was a Detective Sergeant with the Metropolitan Police for 33 years or so, and left in 2004. He now works in "security and investigations".
At some time he amassed "approximately 120 million personal records that have been phished/hacked and sold between criminals on the internet". Now he's offering a free summary of the information he has, and a £10 full listing, available once you verify your identity. £10 is also what you'd pay if you made a request under the Data Protection Act for the data he holds. Also, he's not storing the information you provide to do a lookup (which is name and either postal or email address) -- unless you buy the full version of a report, clearly. He also provides information on what he's doing, guidance on security, and an explanation of why, for instance, it's not necessarily helpful to victims for him to report the data loss to credit card companies.
More data on his site [lucidintelligence.com].
I think he's trying to offer a useful service, and does not intend this as a scam. It's even probably socially useful to be able to know if your data is "out there". But it's hard to see if it's legal under the Data Protection Act in the UK or equivalent legislation in any EU state - assuming the collection and processing of the data happened or happens in an EU jurisdiction.
The DPA requires data to be "fairly obtained" - there is lots of guidance on exactly what this means. He may try to argue that gathering such "freely (or criminally or commercially) available" data from the net, for the limited purpose of alerting the victims, is "fair". Good luck with that - I don't think there is any precedent for that, and the legal costs could exceed the £160K he's spent so far.
The DPA also limits how long the data can be held, and the uses to which it can be put -- it has to match the purposes for which it was gathered. It's an interesting question when this legal "collection" happened - whether it was the original collection from the victims (in some case legally), any intermediate hacking (unlikely), or the Mr Holder's scraping up exercise (in which case, how could there be consent to his "purposes"?).
One issue this highlights is that, if you ever allow an EU company to share your data, or ever give data to a non-EU company, there are no limits on what they can do with it. Your data is now an asset of the company, and they can change their T&C retroactively to allow whatever use they like. So can anyone who purchases the information, or who obtains it when the "owners" go bust.
You can see why it might be useful to know if your data is "out there", and even whether it is limited to commercial organisations, or crime / hacker networks.
Maybe a change in the law to allow that might be good -- on a carefully regulated basis, so the data is not just another tradeable asset!
IANAL, WMMV, yadda, yadda...