Forgot your password?
typodupeerror
Security Your Rights Online

40 Million Identities Up For Sale On the Web 245

Posted by kdawson
from the big-fat-target dept.
An anonymous reader writes "Highly sensitive financial information, including credit card details, bank account numbers, telephone numbers, and even PINs are available to the highest bidder. The information being traded on the Web has been intercepted by a British company and collated into a single database for the first time. The Lucid Intelligence database contains the records of 40 million people worldwide, mostly Americans; four million are Britons. Security experts described the database as the largest of its kind in the world. The database is in the hands of Colin Holder, a retired senior Metropolitan police officer who served on the fraud squad. He has collected the information over the past four years. His sources include law enforcement from around the world, such as British police and the FBI, anti-phishing and hacking campaigners, and members of the public. Mr. Holder said he has invested £160,000 in the venture so far. He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."
This discussion has been archived. No new comments can be posted.

40 Million Identities Up For Sale On the Web

Comments Filter:
  • by winkydink (650484) * <sv.dude@gmail.com> on Tuesday July 21, 2009 @06:36PM (#28775989) Homepage Journal

    He saved up?

  • one, please (Score:5, Funny)

    by tverbeek (457094) on Tuesday July 21, 2009 @06:37PM (#28775999) Homepage
    I'll take one. I've been meaning to get a life.
  • by CorporateSuit (1319461) on Tuesday July 21, 2009 @06:38PM (#28776013)
    Hello. My name is Mr. Burns. I believe you have some info for me.
    Ok Mr. Burns, what's your first name?
    I... don't know....
    • This is also good for those of us who have forgotten our pin number and social security numbers and are too lazy to sort it all out at the bank. Not that we have any money left in said bank accounts...

    • by meuhlavache (1101089) on Tuesday July 21, 2009 @09:55PM (#28777513) Homepage
      Welcome into our huge database!

      To check if you are on our database please fill some informations:

      Type your name/surname: *tip tip tip tip*
      Type your credit card number: *tip tip tip tip tip tip tip tip tip*
      Type your phone number: *tip tip tip*
      Type your social security number: *tip tip tip tip tip tip tip tip tip*
      [...]
      Press Ok right now.

      ... Loading...

      Sorry, you were not on our database... Fixed that!
    • Ok Mr. Burns, what's your first name?

      Surely, they'll be collecting data of their own during any record search.

      Hi, I'm Joe Bloggs, SSN 123-45-6789 of 123 Main St. New York, NY 11111. Is my information in your database?

      Why yes, Mr. Bloggs....it is now.

  • splitting hairs (Score:5, Interesting)

    by tverbeek (457094) on Tuesday July 21, 2009 @06:40PM (#28776019) Homepage

    "He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."

    How, exactly, does this differ from extortion?

    • Re: (Score:3, Insightful)

      by BitterOak (537666)

      "He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."

      How, exactly, does this differ from extortion?

      Because he wasn't the one who stole the information in the first place. He's merely offering a service to let you know if you've been the victim of a crime. This is very valuable information, as it could prompt you to cancel credit cards, or change PIN numbers. He had to incur some expenses to acquire this information so why should he give it away for free? The criminals are the ones that stole the information in the first place.

      • Re: (Score:3, Insightful)

        by maxwell demon (590494)

        So if I buy some stolen goods from a thief and then sell that stuff back to the original owners, then I'm fine because I'm not the one who has stolen the stuff? I don't think so.
        So why is this case different?

        • by jonbryce (703250)

          As we always point out whenever the RIAA, MPAA or BSA mention it, copying != theft. Theft takes place when someone uses these details to buy something or borrow something they shouldn't be buying or borrowing.

          Secondly, they are not selling you your credit card back, they are selling you the information that it is being passed around carding sites.

        • Re: (Score:3, Interesting)

          by amicusNYCL (1538833)

          No, you don't understand, that's not what this fine ex-cop is doing. It would be equivalent if you went around buying everyone's stolen goods, and then in order to recoup that cost, you charged people for the privilege of knowing whether or not their goods were stolen.

        • by shentino (1139071)
          the original owners would be justified in getting a refund AND keeping the hot goods.

          You could get in hot water for possession of stolen property if you knew they were hot.
      • Re: (Score:3, Insightful)

        Because he wasn't the one who stole the information in the first place. He's merely offering a service to let you know if you've been the victim of a crime. This is very valuable information, as it could prompt you to cancel credit cards, or change PIN numbers. He had to incur some expenses to acquire this information so why should he give it away for free? The criminals are the ones that stole the information in the first place.

        That depends on when he acquired it, and the resources he used. If he acquired it on the job, or using government equipment and/or connections, then it's the government's information and he doesn't have the right to sell it. If this was a "post-retirement" project he's been working on, then it would be legal.

        • Re:splitting hairs (Score:5, Insightful)

          by FromellaSlob (813394) on Tuesday July 21, 2009 @07:11PM (#28776337)

          If this was a "post-retirement" project he's been working on, then it would be legal.

          No it wouldn't. This guy has no legal basis to acquire or retain this data, he's in very serious breach of the UK Data Protection Act.

          • Re: (Score:3, Interesting)

            Yeah, I don't understand how even possessing that kind of database is legal, let alone trying to charge people for access to it.

            I think this guy's business model needs some work.

            • by PCM2 (4486)

              Yeah, I don't understand how even possessing that kind of database is legal, let alone trying to charge people for access to it.

              Uhhh...because a world in which it was a crime simply to possess certain information would be very scary? I'm just guessing, here.

      • If he has said numbers stored on his hard drive he is in violation of several laws and probably even in England.
    • Re:splitting hairs (Score:4, Insightful)

      by ImNotAtWork (1375933) on Tuesday July 21, 2009 @06:53PM (#28776161)
      Extortion is threatening to use the information against you or leaking it even more if you do not pay. The company is not doing this. The company is saying this is what I have come across during my travels... If you want to know what I know about you then pay up, you are not obligated to do so. Kind of like those for pay credit score reports. (I know you don't have to pay for the credit report.. but the credit score is a different matter.)
      I am in no way defending the practice.
    • by zippthorne (748122) on Tuesday July 21, 2009 @07:06PM (#28776293) Journal

      It's far more brilliant.

      You must give him some information about yourself to determine if you're in the database, non? Information that includes your credit card numbers, perhaps. Where do you think that data goes, I wonder.

    • hey there Mr, that looks like a nice identity you got there hate to see anything nasty happen it. Give us a pound or two, here now got anything larger, there ya go now I'll just take a look here and well what do ya know you aren't on this list, well Bob's yer uncle that was easy wasn't it. Here then who's next.
    • by shentino (1139071)
      because he's asking for payment TO expose it to YOU.

      Extortion would be him asking for payment NOT to expose it to someone ELSE.
    • Re: (Score:3, Insightful)

      by L4t3r4lu5 (1216702)
      Worse than that, isn't this just a big repository of valid identities, ripe for abuse by fraudsters?

      "Hi, my buddies and I would like to pool the information we have to check to see if we're on your list. My name is Mr Adams, and my friends names are: Taylor, Brown, Davis, Evans, Wilson, Thomas, Johnson, Roberts, Robinson, Thompson, Wright, Walker, White, Edwards, Hughes, Green, Hall, Harris, Lucas, and Price. Take your time, we want you to be thorough."
  • by FSWKU (551325) on Tuesday July 21, 2009 @06:40PM (#28776021)

    He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached.

    So in order to find out if your personal information has been breached, you have to disclose said information AND pay a fee. Seems a little fishy to me. Isn't that how a lot of identity-theft scams operate in the first place? "Hey, your identity is at risk. Send us money and details and we'll check to see if you're a victim or not.........and.....YES...you are now a victim! Thank you for using Thieves-R-Us!"

    • by j-stroy (640921)
      Sure sounds a lot like those spyware scans that list 542 threats(cookies) have been found! zomgwtfbbq!!11

      If the info is real, it seems national governments should purchase the list in its entirety in order to protect their citizens.

      Then they can lose the laptop, scrap the hard drives and it will show up in vendors stalls in Saharan Africa allowing the cycle to continue.
    • Seems a little fishy to me.

      Or phishy.

    • Also there are only three ways one can procure this information. 1) He got it from government agencies (therefore, it's private information that the government owns, not information that one sole private individual owns), 2) He purchased this information directly from the bad guys (thereby, he's been personally funding them), and/or 3) He got this information directly from the Corporations breached themselves (therefore, he's been inducing those Corporations into leaking even more information than they alre

    • by EdIII (1114411) *

      Seems a little fishy to me.

      Seems a little illegal to me. Identity Theft is a crime right? Don't the victims have legal rights to the information? I would think in the U.S and the U.K that this guy would be obligated to report these crimes.

      • by socsoc (1116769)
        Obligated? Not in the states, but he is still a scummy criminal in possession of stolen information and needs to be strung up.
    • by Eil (82413) on Tuesday July 21, 2009 @09:08PM (#28777195) Homepage Journal

      So in order to find out if your personal information has been breached, you have to disclose said information AND pay a fee. Seems a little fishy to me.

      More than a little fishy. I read this as, "British fraud officer leaves the force, collects the personal information of 40 million people from the black market and his buddies in law enforcement, and is now using it to make money. Oh, but it's not unethical this time because he used to be a policeman." If it was illegal for the phishers and fraudsters to have this ill-gained information, why is it not illegal for a former police officer to have it?

      I know there are no privacy laws in Britain, but here in the U.S., I would hope that there's a law providing for the destruction of personal and/or financial details that were obtained illegally once they are no longer considered evidence in an ongoing prosecution.

      • by Anonymous Brave Guy (457657) on Tuesday July 21, 2009 @09:32PM (#28777375)

        I know there are no privacy laws in Britain

        Erm... Yes, there are.

        If this is what it appears to be, it's a fairly obvious breach of the Data Protection Acts. Indeed, from the TFA:

        The Information Commissioner, the data protection watchdog, is monitoring the development of the database. [...] The legality of the database could be put to the test in the coming week. The Information Commissioner's Office said it could not endorse a commercial service or make a ruling on its validity unless someone made a complaint. But the privacy watchdog said it had "provided advice to help the company comply with the principles of the Data Protection Act".

        I rather suspect that this advice may have been "Stop. Now." :-)

        The database might also fall foul of European human rights legislation that explicitly covers privacy.

    • by mcrbids (148650) on Tuesday July 21, 2009 @09:47PM (#28777471) Journal

      It took me about 10 minutes to create this simple web-page would could conceivably be used to steal identifying information. [effortlessis.com] It would take a few hours to add stuff like the ability to run credit cards, and simulate a faux "Your identity was not found".

      This website was easy to make using a free template found online. With the exception of the target page for all the links, it would easily pass the "sniff test" for many people. It looks friendly! It's got a kid and a butterfly on it! The news stories are current! (copy/paste from google news for "Identity Theft") Feel free to check it out. Total time spent was about 10-15 minutes. (I purposefully put in a few spelling/grammar mistakes, just to exaggerate my point)

      So I hack up a spam engine, log in via some open wifi hotspot, and I have a business overnight? ID theft is much, much easier than we all think. And we want to believe that this guy isn't also doing it?

  • by DreadfulGrape (398188) on Tuesday July 21, 2009 @06:43PM (#28776057)

    ... can I then sue him for illegally possessing my sensitive data?

    • by Looce (1062620) *

      I would imagine (without reading TFA, of course) that the officer has deleted all sensitive information and keeps only identifying information. You then input your identifying information and the database determines whether your sensitive information is in the hands of people with more nefarious intentions.

      • It would seem sensible to take common variations in the information (minor spelling differences for some data, accounting for different uppercase/lowercase combinations, abbreviations, etc), create a database of hashes for all this data, and use one-way hashing for comparing information submitted to determine if you know about it or not.
        • Re: (Score:3, Insightful)

          by plover (150551) *

          The problem is that it's not very secure because there's a finite search space. If the database and system were illicitly copied, a dictionary attack (aka "preparing a rainbow table") would serve well to "unhash" most of the data in the database.

          There are only 60 million Britons, and you can probably get or guess a good share of their names. Input them into the hashing routine, and you get a hash: let's say that "JOHN SMYTHE" hashes to "abc123". Next, you generate the 100 million possible taxpayer id

      • by Kalriath (849904) *

        I believe it's illegal to hold identifying information without the consent of the person it identifies. At least, in the UK I think. Definitely is here.

      • by socsoc (1116769)
        How is the identifying information different from the sensitive information? If I was to look at a database table, they'd be the exact same fields.
    • by the real darkskye (723822) on Tuesday July 21, 2009 @06:51PM (#28776143) Homepage

      If you're in the UK then as long as the data isn't held securely by him then yes. The UK's data protection act requires that all information that can be used to personally identify an individual is held securely.

      If you're in the UK you can also use the Freedom of Information act to request any information he's holding about you, but for that he can charge a nominal fee, which is how he's probably planning on making the money invested back.

      A former member of the metropolitan police and corrupt? Don't colour me surprised.

      • by jonbryce (703250)

        It is the Data Protection Act you use, not the Freedom of Information Act. FOI applies to non-personal information held by public bodies, and no fee is payable.

      • by duguk (589689)

        If you're in the UK then as long as the data isn't held securely by him then yes. The UK's data protection act requires that all information that can be used to personally identify an individual is held securely.

        FYI (why is no-one linking to the DPA?) - it also says anyone who processes personal information must comply with eight principles, which make sure that personal information is fairly and lawfully processed [ico.gov.uk]

  • by seifried (12921) on Tuesday July 21, 2009 @06:44PM (#28776069) Homepage
    The scary part I think is that he amassed this data for roughly 1/10 of a cent per person in there. Good thing the bad guys aren't doing this. Oh wait....
  • by Anonymous Coward on Tuesday July 21, 2009 @06:46PM (#28776087)

    I have put together a database of upskirt photos collected from the internet. For a small fee you can peruse my collection and find out if you were a victim.

    • by interkin3tic (1469267) on Tuesday July 21, 2009 @07:03PM (#28776253)

      I have put together a database of upskirt photos collected from the internet. For a small fee and a reference upskirt picture you can peruse my collection and find out if you were a victim.

      fixed that for you

      • by plover (150551) *

        I have put together a database of upskirt photos collected from the internet. For a small fee and a reference upskirt picture you can peruse my collection and find out if you were a victim.

        fixed that for you

        No way, dude. I don't want upskirt photos from every perv who pays his way into the database. I just want to pay my way into the database to "search" it myself. Alone.

      • I have put together a database of upskirt photos collected from the internet. For a small fee and a reference upskirt picture I can peruse my collection and find out if you were a victim. fixed that for you
      • This is the wrong place to ask... the images, they hurt.
  • by whoever57 (658626) on Tuesday July 21, 2009 @06:51PM (#28776133) Journal
    My name? It's Bill Gates. Oh, no, it's Warren Buffet .... Barak Obama.......
  • by gestalt_n_pepper (991155) on Tuesday July 21, 2009 @07:07PM (#28776303)

    Well then, I'd like it *back* please. I wasn't done using it yet. You can have it after I'm finished.

  • by 3seas (184403) on Tuesday July 21, 2009 @07:13PM (#28776357) Journal

    ... he'd notify the relative banks and get them to issue new cards to the card holders and then cancel the old account numbers.

    Or isn't that something a police officer would not do?

    Aren't the police supposed to help protect the public?

  • by Zantetsuken (935350) on Tuesday July 21, 2009 @07:18PM (#28776395) Homepage
    Well I'll be, its Scotland Yard and a squad of SAS coming for tea and biscuts! What? They say they're not visiting for tea and biscuts?
  • by Bob_Who (926234) <Bob@who . n et> on Tuesday July 21, 2009 @07:36PM (#28776561) Homepage Journal
    Lets be fair, he's in possession of stolen property, and although he has turned himself into the authorities, the law applies to all criminals, no matter how they draw a pension. Perhaps the blokes that raid private events based on facebook tags should try the swat team or bomb squad and put a stop to extortion and misuse of public authority. Its looking like a gang related organized crime syndicate, or perhaps its all a coincidence or just an invitation for the blue hats to hack his target rich database. Good thing he's armed with a mace and a night stick. That way he can defend the 40 million people who he feels each owe him .000567 in order to recoup expenses for obtaining stolen ID's.
    • by socsoc (1116769)
      Well I did see this database storage facility (his home) advertised as an all night party, better bring out the whirlybirds and a bunch of squad cars
  • by butabozuhi (1036396) on Tuesday July 21, 2009 @07:44PM (#28776629)
    Go to Google (or Yahoo or Bing) and type in your full social security number. Hit ENTER. If you find your number online, you're a victim of identity theft! If you don't find your number online...just wait a few days as you just sent it clear-text for the whole world to see. Yeeeeehah!
  • by MrCrassic (994046) <deprecated@[ ].il ['ema' in gap]> on Tuesday July 21, 2009 @07:45PM (#28776637) Journal

    I'm interested in hearing people's thoughts on the morality of this sale. Sales like these are completely non-unique, with one prominent example being the credit score business in the United States. As far as I know, Americans are only entitled to know their credit score for free twice a year, and no more. Additionally, lenders don't provide any fair warning that a person's credit score is at risk; in fact, younger credit card owners are encouraged to use their credit cards as primary spending sources with sign-up incentives and looser overall operating conditions.

    Personally, I think that it's completely immoral to charge people for knowing whether their most treasured assets are at risk. Just don't let CNN know about it; I really don't want to deal with a full work day of them discussing privacy breaches, credit card fraud and how this all impacts Obama and Michael Jackson. (He's still dead.)

    • Re: (Score:3, Interesting)

      by dave562 (969951)
      I thought that you were allowed to obtain your credit REPORT for free once or twice a year. The credit SCORE is considered proprietary information and therefore subject to a fee. I think it's a load of crap. If there was justice in the world, ANY information that ANYBODY uses as part of a process to determine how they interact with and treat you, should be freely available to you.
    • Re: (Score:3, Insightful)

      by socsoc (1116769)

      Yanks are eligible for a free report once a year, from each of the three credit bureaus, so the smart ones of us space them out and get one at a time. www.annualcreditreport.com [annualcreditreport.com]. They don't give us the actual score, that varies by bureau and costs extra, just the report. It's meant to find inaccurate information. We also do get free reports (you have to request it) when credit is denied because of one of those bureaus.

  • I too ... (Score:4, Funny)

    by PPH (736903) on Tuesday July 21, 2009 @07:54PM (#28776703)

    ... have a database which, for a small fee, I will be happy to verify that your records are not contained therein.

    I think we've just discovered the "4) ?????" step.

  • by geekmux (1040042) on Tuesday July 21, 2009 @08:19PM (#28776873)

    Charge with possession with the intent to distribute. I see no difference if he we in possession of 100 kilos of cocaine. What's to stop him from selling peoples information on this list to the highest bidder? Who's going to police the policeman? HIS morals are already in question based on his actions here.

    And if he used his own money to invest in this bullshit scheme, thought shit. He should have known better.

  • by Mashiki (184564) <mashiki.gmail@com> on Tuesday July 21, 2009 @09:29PM (#28777353) Homepage

    I realize this is going by the wayside and all that, but doesn't anyone in the UK police service get ethics training anymore? Let alone have some type of psych eval when they join like they do in Canada? Some serious ethical questions that should be raised not only by his service, but also by the crown.

    Regardless of whether or not he retired from being a police officer or not, there's some things that don't go away when you retire. He's crossed a line, whether he realizes it yet or not. Then again, this being the UK, maybe I shouldn't be surprised, if this is commonplace for retired officers to pull stuff like this, it could be an example of how deep the rot actually goes in their entire system.

    • Re: (Score:3, Insightful)

      by Inda (580031)
      Day 1: Sense of humour removal training.
      Day 2: Racist indoctrination training.
      Day 3: Brutality training.
      Day 4: Smart-arse, holier than thou training.
      Day 5: 10 minute test.
  • Mr. Holder (interesting name) better get himself a lawyer, because if he has my info, I am going to hire one to get it purged from his db. It does not matter if there he thinks there is some "greater good" to having it. It's my info; he shouldn't have it. What if someone steals his precious DB? He's basically hung a shingle that says "hack me" at this point.

  • by feepcreature (623518) on Wednesday July 22, 2009 @09:00AM (#28780459) Homepage

    Since there is not much info in TFA or the summary, here's some more.

    Colin Holder was a Detective Sergeant with the Metropolitan Police for 33 years or so, and left in 2004. He now works in "security and investigations".

    At some time he amassed "approximately 120 million personal records that have been phished/hacked and sold between criminals on the internet". Now he's offering a free summary of the information he has, and a £10 full listing, available once you verify your identity. £10 is also what you'd pay if you made a request under the Data Protection Act for the data he holds. Also, he's not storing the information you provide to do a lookup (which is name and either postal or email address) -- unless you buy the full version of a report, clearly. He also provides information on what he's doing, guidance on security, and an explanation of why, for instance, it's not necessarily helpful to victims for him to report the data loss to credit card companies.

    More data on his site [lucidintelligence.com].

    I think he's trying to offer a useful service, and does not intend this as a scam. It's even probably socially useful to be able to know if your data is "out there". But it's hard to see if it's legal under the Data Protection Act in the UK or equivalent legislation in any EU state - assuming the collection and processing of the data happened or happens in an EU jurisdiction.

    The DPA requires data to be "fairly obtained" - there is lots of guidance on exactly what this means. He may try to argue that gathering such "freely (or criminally or commercially) available" data from the net, for the limited purpose of alerting the victims, is "fair". Good luck with that - I don't think there is any precedent for that, and the legal costs could exceed the £160K he's spent so far.

    The DPA also limits how long the data can be held, and the uses to which it can be put -- it has to match the purposes for which it was gathered. It's an interesting question when this legal "collection" happened - whether it was the original collection from the victims (in some case legally), any intermediate hacking (unlikely), or the Mr Holder's scraping up exercise (in which case, how could there be consent to his "purposes"?).

    One issue this highlights is that, if you ever allow an EU company to share your data, or ever give data to a non-EU company, there are no limits on what they can do with it. Your data is now an asset of the company, and they can change their T&C retroactively to allow whatever use they like. So can anyone who purchases the information, or who obtains it when the "owners" go bust.

    You can see why it might be useful to know if your data is "out there", and even whether it is limited to commercial organisations, or crime / hacker networks.

    Maybe a change in the law to allow that might be good -- on a carefully regulated basis, so the data is not just another tradeable asset!

    IANAL, WMMV, yadda, yadda...

The reason why worry kills more people than work is that more people worry than work.

Working...