40 Million Identities Up For Sale On the Web 245
An anonymous reader writes "Highly sensitive financial information, including credit card details, bank account numbers, telephone numbers, and even PINs are available to the highest bidder. The information being traded on the Web has been intercepted by a British company and collated into a single database for the first time. The Lucid Intelligence database contains the records of 40 million people worldwide, mostly Americans; four million are Britons. Security experts described the database as the largest of its kind in the world. The database is in the hands of Colin Holder, a retired senior Metropolitan police officer who served on the fraud squad. He has collected the information over the past four years. His sources include law enforcement from around the world, such as British police and the FBI, anti-phishing and hacking campaigners, and members of the public. Mr. Holder said he has invested £160,000 in the venture so far. He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."
splitting hairs (Score:5, Interesting)
"He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."
How, exactly, does this differ from extortion?
So let me get this straight... (Score:5, Interesting)
So in order to find out if your personal information has been breached, you have to disclose said information AND pay a fee. Seems a little fishy to me. Isn't that how a lot of identity-theft scams operate in the first place? "Hey, your identity is at risk. Send us money and details and we'll check to see if you're a victim or not.........and.....YES...you are now a victim! Thank you for using Thieves-R-Us!"
If he has my sensitive data... (Score:3, Interesting)
... can I then sue him for illegally possessing my sensitive data?
This is probably illegal to sell (Score:1, Interesting)
He almost certainly obtained his information legally, but some or most of it came with strings attached, including prohibitions on any non-official or personal use.
I predict any attempt to monetize this by a private individual will be shot down fast.
It's one thing for a government to provide this service on a cost-recovery basis, under heavy regulation.
It's quite another for someone to collect this data under "official" or "can I have it as a favor" pretenses or even buy it on the "open market" but use the fact that you are in government to make people think you won't abuse it then turn around and sell the same information. Even if he's doing it on a cost-recovery basis, I don't see any regulation and it just looks bad.
What he should do:
Sort the data by country of residence or nationality, then give the data to those countries' governments or simply destroy it. If he asks nicely for donations and is clearly being good about the way he handles this, he might get enough to cover his costs.
I'd like to check my personal details please .... (Score:3, Interesting)
The answer is always "yes." (Score:4, Interesting)
It's far more brilliant.
You must give him some information about yourself to determine if you're in the database, non? Information that includes your credit card numbers, perhaps. Where do you think that data goes, I wonder.
If he really wanted to do the right thing... (Score:5, Interesting)
... he'd notify the relative banks and get them to issue new cards to the card holders and then cancel the old account numbers.
Or isn't that something a police officer would not do?
Aren't the police supposed to help protect the public?
Re:splitting hairs (Score:3, Interesting)
No, you don't understand, that's not what this fine ex-cop is doing. It would be equivalent if you went around buying everyone's stolen goods, and then in order to recoup that cost, you charged people for the privilege of knowing whether or not their goods were stolen.
Re:Where does a cop get £160,000? (Score:5, Interesting)
Actually, under the Data Protection Act he isn't allowed to hold that database at all. This will end very badly for him.
Re:splitting hairs (Score:3, Interesting)
Yeah, I don't understand how even possessing that kind of database is legal, let alone trying to charge people for access to it.
I think this guy's business model needs some work.
Re:A discussion on morality. (Score:3, Interesting)
Re:Ridiculous (Score:4, Interesting)
Ethics? Hello? UK? Anyone home? (Score:3, Interesting)
I realize this is going by the wayside and all that, but doesn't anyone in the UK police service get ethics training anymore? Let alone have some type of psych eval when they join like they do in Canada? Some serious ethical questions that should be raised not only by his service, but also by the crown.
Regardless of whether or not he retired from being a police officer or not, there's some things that don't go away when you retire. He's crossed a line, whether he realizes it yet or not. Then again, this being the UK, maybe I shouldn't be surprised, if this is commonplace for retired officers to pull stuff like this, it could be an example of how deep the rot actually goes in their entire system.
Re:splitting hairs (Score:4, Interesting)
a world in which it was a crime simply to possess certain information would be very scary
Uh, you do realize you already live in that world, right? Right? [state.ny.us]
Re:So let me get this straight... (Score:4, Interesting)
It took me about 10 minutes to create this simple web-page would could conceivably be used to steal identifying information. [effortlessis.com] It would take a few hours to add stuff like the ability to run credit cards, and simulate a faux "Your identity was not found".
This website was easy to make using a free template found online. With the exception of the target page for all the links, it would easily pass the "sniff test" for many people. It looks friendly! It's got a kid and a butterfly on it! The news stories are current! (copy/paste from google news for "Identity Theft") Feel free to check it out. Total time spent was about 10-15 minutes. (I purposefully put in a few spelling/grammar mistakes, just to exaggerate my point)
So I hack up a spam engine, log in via some open wifi hotspot, and I have a business overnight? ID theft is much, much easier than we all think. And we want to believe that this guy isn't also doing it?
Re:Where does a cop get £160,000? (Score:5, Interesting)
Re:Where does a cop get £160,000? (Score:3, Interesting)
Actually, the US can have him extradited and convicted even if he didn't commit any act on US soil. Just look what happened to the UK hacker that got extradited, and the fellows who were claiming political asylum in the US for something they did outside the US.
Endangering the economic well-being of americans will likely not go unpunished, especially if amongst those are lobbyists, military personnel, etc.