40 Million Identities Up For Sale On the Web 245
An anonymous reader writes "Highly sensitive financial information, including credit card details, bank account numbers, telephone numbers, and even PINs are available to the highest bidder. The information being traded on the Web has been intercepted by a British company and collated into a single database for the first time. The Lucid Intelligence database contains the records of 40 million people worldwide, mostly Americans; four million are Britons. Security experts described the database as the largest of its kind in the world. The database is in the hands of Colin Holder, a retired senior Metropolitan police officer who served on the fraud squad. He has collected the information over the past four years. His sources include law enforcement from around the world, such as British police and the FBI, anti-phishing and hacking campaigners, and members of the public. Mr. Holder said he has invested £160,000 in the venture so far. He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."
Where does a cop get £160,000? (Score:3, Insightful)
He saved up?
Re:Where does a cop get £160,000? (Score:5, Funny)
creek walk (Score:2)
Re:Where does a cop get £160,000? (Score:5, Funny)
It's easy to access. All you have to do is email him your name and credit card info and ... ... wait a minute.
Re:Where does a cop get £160,000? (Score:5, Insightful)
And now the git wants us to pay for stolen information, obtained from publicly funded sources utilising his publicly funded connections to acquire. Whatever his previous achievements in the Met may or may not have been, now he is simply a slimy scammer trading in stolen goods. The man is a disgrace.
Cheers,
Ian
Re: (Score:3, Insightful)
It's his right to do whatever he wants with his pension. If he wants to create a database of stolen identities, he can do that. And if he asks for payment to see if you are inside it, he can also do that.
He just can't do anything nefarious or illegal with it.
Re:Where does a cop get £160,000? (Score:5, Interesting)
Actually, under the Data Protection Act he isn't allowed to hold that database at all. This will end very badly for him.
Re:Where does a cop get £160,000? (Score:5, Informative)
This will end very badly for him.
Yes because here in the UK we always [independent.co.uk] punish our criminally inclined police . . .
Re:Where does a cop get £160,000? (Score:5, Insightful)
Like ... actually having the information in the first place without permission of the owners of the data. The only legal thing he can do with it is destroy it.
I certainly have not authorized him to use my information.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
now he is simply a slimy scammer trading in stolen goods. The man is a disgrace.
Or possibly an MP.
Re:Where does a cop get £160,000? (Score:4, Informative)
now he is simply a slimy scammer trading in stolen goods. The man is a disgrace.
Or possibly an MP.
Same thing.
Re: (Score:2)
Regardless of his connections, he earned his pension. What he's doing is somewhat unethical, but by no means illegal.
He could just as easily have quietly sold the entire database for millions.
Re: (Score:3, Insightful)
Oh, it's illegal all right. In many countries. Just because the US government doesn't give a crap about privacy, doesn't mean other countries don't.
Re:Where does a cop get £160,000? (Score:5, Interesting)
Re: (Score:3, Interesting)
Actually, the US can have him extradited and convicted even if he didn't commit any act on US soil. Just look what happened to the UK hacker that got extradited, and the fellows who were claiming political asylum in the US for something they did outside the US.
Endangering the economic well-being of americans will likely not go unpunished, especially if amongst those are lobbyists, military personnel, etc.
Re: (Score:2)
one, please (Score:5, Funny)
Look up our own information, huh? (Score:5, Funny)
Ok Mr. Burns, what's your first name?
I... don't know....
good point (Score:2)
This is also good for those of us who have forgotten our pin number and social security numbers and are too lazy to sort it all out at the bank. Not that we have any money left in said bank accounts...
Re: (Score:2)
It's the first part of my social security number
Re: (Score:2)
Err, didn't we have an article a couple weeks ago about how easy it was to deduce the first digits of somebody's social security number based on his place of birth and current age? apparently we did [slashdot.org].
Me thinks you'd do well to change it ASAP.
Re: (Score:2)
... I see. So you derailed my joke to make fun of me not thinking about trivial acronyms. And then I still didn't get it, so I dug the hole even deeper. Well done sir/madam, what your post lacked in importance I made up for by tripping over it.
Re: (Score:2)
Now you're just adding insult to injury!
Re: (Score:2)
Expand the acronym:
Is your personal identification number number personal?
Re:Look up our own information, huh? (Score:5, Funny)
To check if you are on our database please fill some informations:
Type your name/surname: *tip tip tip tip*
Type your credit card number: *tip tip tip tip tip tip tip tip tip*
Type your phone number: *tip tip tip*
Type your social security number: *tip tip tip tip tip tip tip tip tip*
[...]
Press Ok right now.
Sorry, you were not on our database... Fixed that!
Re: (Score:2)
Ok Mr. Burns, what's your first name?
Surely, they'll be collecting data of their own during any record search.
Hi, I'm Joe Bloggs, SSN 123-45-6789 of 123 Main St. New York, NY 11111. Is my information in your database?
Why yes, Mr. Bloggs....it is now.
splitting hairs (Score:5, Interesting)
"He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."
How, exactly, does this differ from extortion?
Re: (Score:3, Insightful)
"He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."
How, exactly, does this differ from extortion?
Because he wasn't the one who stole the information in the first place. He's merely offering a service to let you know if you've been the victim of a crime. This is very valuable information, as it could prompt you to cancel credit cards, or change PIN numbers. He had to incur some expenses to acquire this information so why should he give it away for free? The criminals are the ones that stole the information in the first place.
Re: (Score:3, Insightful)
So if I buy some stolen goods from a thief and then sell that stuff back to the original owners, then I'm fine because I'm not the one who has stolen the stuff? I don't think so.
So why is this case different?
Re: (Score:2)
As we always point out whenever the RIAA, MPAA or BSA mention it, copying != theft. Theft takes place when someone uses these details to buy something or borrow something they shouldn't be buying or borrowing.
Secondly, they are not selling you your credit card back, they are selling you the information that it is being passed around carding sites.
Re: (Score:3, Interesting)
No, you don't understand, that's not what this fine ex-cop is doing. It would be equivalent if you went around buying everyone's stolen goods, and then in order to recoup that cost, you charged people for the privilege of knowing whether or not their goods were stolen.
Re: (Score:2)
You could get in hot water for possession of stolen property if you knew they were hot.
Re: (Score:2)
Re: (Score:3, Insightful)
Because he wasn't the one who stole the information in the first place. He's merely offering a service to let you know if you've been the victim of a crime. This is very valuable information, as it could prompt you to cancel credit cards, or change PIN numbers. He had to incur some expenses to acquire this information so why should he give it away for free? The criminals are the ones that stole the information in the first place.
That depends on when he acquired it, and the resources he used. If he acquired it on the job, or using government equipment and/or connections, then it's the government's information and he doesn't have the right to sell it. If this was a "post-retirement" project he's been working on, then it would be legal.
Re:splitting hairs (Score:5, Insightful)
If this was a "post-retirement" project he's been working on, then it would be legal.
No it wouldn't. This guy has no legal basis to acquire or retain this data, he's in very serious breach of the UK Data Protection Act.
Re: (Score:3, Interesting)
Yeah, I don't understand how even possessing that kind of database is legal, let alone trying to charge people for access to it.
I think this guy's business model needs some work.
Re: (Score:2)
Yeah, I don't understand how even possessing that kind of database is legal, let alone trying to charge people for access to it.
Uhhh...because a world in which it was a crime simply to possess certain information would be very scary? I'm just guessing, here.
Re:splitting hairs (Score:4, Interesting)
a world in which it was a crime simply to possess certain information would be very scary
Uh, you do realize you already live in that world, right? Right? [state.ny.us]
Re:splitting hairs (Score:5, Informative)
The UK DPA also requires that he have a legitimate reason to hold this data in the first place, which would be either a direct customer relationship, or a third party one like a credit reference agency (where the customer gives permission for the third party data-sharing as part of their credit applications). It also requires that he hold it for no longer than strictly necessary for the purposes of said business relationship. The law in question thankfully makes this an explicitly opt-in thing, outside of government no-one can legally collect your data without your permission and then require you to opt out.
Re: (Score:2)
Re:splitting hairs (Score:4, Insightful)
I am in no way defending the practice.
The answer is always "yes." (Score:4, Interesting)
It's far more brilliant.
You must give him some information about yourself to determine if you're in the database, non? Information that includes your credit card numbers, perhaps. Where do you think that data goes, I wonder.
Re: (Score:2)
Re: (Score:2)
Extortion would be him asking for payment NOT to expose it to someone ELSE.
Re: (Score:3, Insightful)
"Hi, my buddies and I would like to pool the information we have to check to see if we're on your list. My name is Mr Adams, and my friends names are: Taylor, Brown, Davis, Evans, Wilson, Thomas, Johnson, Roberts, Robinson, Thompson, Wright, Walker, White, Edwards, Hughes, Green, Hall, Harris, Lucas, and Price. Take your time, we want you to be thorough."
So let me get this straight... (Score:5, Interesting)
So in order to find out if your personal information has been breached, you have to disclose said information AND pay a fee. Seems a little fishy to me. Isn't that how a lot of identity-theft scams operate in the first place? "Hey, your identity is at risk. Send us money and details and we'll check to see if you're a victim or not.........and.....YES...you are now a victim! Thank you for using Thieves-R-Us!"
Re: (Score:2)
If the info is real, it seems national governments should purchase the list in its entirety in order to protect their citizens.
Then they can lose the laptop, scrap the hard drives and it will show up in vendors stalls in Saharan Africa allowing the cycle to continue.
Re: (Score:2)
Or phishy.
Re: (Score:2)
Also there are only three ways one can procure this information. 1) He got it from government agencies (therefore, it's private information that the government owns, not information that one sole private individual owns), 2) He purchased this information directly from the bad guys (thereby, he's been personally funding them), and/or 3) He got this information directly from the Corporations breached themselves (therefore, he's been inducing those Corporations into leaking even more information than they alre
Re: (Score:2)
Seems a little illegal to me. Identity Theft is a crime right? Don't the victims have legal rights to the information? I would think in the U.S and the U.K that this guy would be obligated to report these crimes.
Re: (Score:2)
Re:So let me get this straight... (Score:5, Insightful)
More than a little fishy. I read this as, "British fraud officer leaves the force, collects the personal information of 40 million people from the black market and his buddies in law enforcement, and is now using it to make money. Oh, but it's not unethical this time because he used to be a policeman." If it was illegal for the phishers and fraudsters to have this ill-gained information, why is it not illegal for a former police officer to have it?
I know there are no privacy laws in Britain, but here in the U.S., I would hope that there's a law providing for the destruction of personal and/or financial details that were obtained illegally once they are no longer considered evidence in an ongoing prosecution.
Privacy laws in the UK (Score:5, Informative)
I know there are no privacy laws in Britain
Erm... Yes, there are.
If this is what it appears to be, it's a fairly obvious breach of the Data Protection Acts. Indeed, from the TFA:
The Information Commissioner, the data protection watchdog, is monitoring the development of the database. [...] The legality of the database could be put to the test in the coming week. The Information Commissioner's Office said it could not endorse a commercial service or make a ruling on its validity unless someone made a complaint. But the privacy watchdog said it had "provided advice to help the company comply with the principles of the Data Protection Act".
I rather suspect that this advice may have been "Stop. Now." :-)
The database might also fall foul of European human rights legislation that explicitly covers privacy.
Re:So let me get this straight... (Score:4, Interesting)
It took me about 10 minutes to create this simple web-page would could conceivably be used to steal identifying information. [effortlessis.com] It would take a few hours to add stuff like the ability to run credit cards, and simulate a faux "Your identity was not found".
This website was easy to make using a free template found online. With the exception of the target page for all the links, it would easily pass the "sniff test" for many people. It looks friendly! It's got a kid and a butterfly on it! The news stories are current! (copy/paste from google news for "Identity Theft") Feel free to check it out. Total time spent was about 10-15 minutes. (I purposefully put in a few spelling/grammar mistakes, just to exaggerate my point)
So I hack up a spam engine, log in via some open wifi hotspot, and I have a business overnight? ID theft is much, much easier than we all think. And we want to believe that this guy isn't also doing it?
If he has my sensitive data... (Score:3, Interesting)
... can I then sue him for illegally possessing my sensitive data?
Re: (Score:2)
I would imagine (without reading TFA, of course) that the officer has deleted all sensitive information and keeps only identifying information. You then input your identifying information and the database determines whether your sensitive information is in the hands of people with more nefarious intentions.
Re: (Score:2)
Re: (Score:3, Insightful)
The problem is that it's not very secure because there's a finite search space. If the database and system were illicitly copied, a dictionary attack (aka "preparing a rainbow table") would serve well to "unhash" most of the data in the database.
There are only 60 million Britons, and you can probably get or guess a good share of their names. Input them into the hashing routine, and you get a hash: let's say that "JOHN SMYTHE" hashes to "abc123". Next, you generate the 100 million possible taxpayer id
Re: (Score:2)
I believe it's illegal to hold identifying information without the consent of the person it identifies. At least, in the UK I think. Definitely is here.
Re: (Score:2)
Re:If he has my sensitive data... (Score:5, Insightful)
If you're in the UK then as long as the data isn't held securely by him then yes. The UK's data protection act requires that all information that can be used to personally identify an individual is held securely.
If you're in the UK you can also use the Freedom of Information act to request any information he's holding about you, but for that he can charge a nominal fee, which is how he's probably planning on making the money invested back.
A former member of the metropolitan police and corrupt? Don't colour me surprised.
Re: (Score:2)
It is the Data Protection Act you use, not the Freedom of Information Act. FOI applies to non-personal information held by public bodies, and no fee is payable.
Re: (Score:2)
It is the Data Protection Act you use, not the Freedom of Information Act. FOI applies to non-personal information held by public bodies, and no fee is payable.
It IS the Data Protection Act but a fee of up to £10 can be charged per request [ico.gov.uk]
Re: (Score:2)
If you're in the UK then as long as the data isn't held securely by him then yes. The UK's data protection act requires that all information that can be used to personally identify an individual is held securely.
FYI (why is no-one linking to the DPA?) - it also says anyone who processes personal information must comply with eight principles, which make sure that personal information is fairly and lawfully processed [ico.gov.uk]
1/10 of a cent per person (Score:4, Insightful)
Were you a victim of upskirt photography? (Score:3, Insightful)
I have put together a database of upskirt photos collected from the internet. For a small fee you can peruse my collection and find out if you were a victim.
ur doin it wrong (Score:5, Funny)
I have put together a database of upskirt photos collected from the internet. For a small fee and a reference upskirt picture you can peruse my collection and find out if you were a victim.
fixed that for you
Re: (Score:2)
I have put together a database of upskirt photos collected from the internet. For a small fee and a reference upskirt picture you can peruse my collection and find out if you were a victim.
fixed that for you
No way, dude. I don't want upskirt photos from every perv who pays his way into the database. I just want to pay my way into the database to "search" it myself. Alone.
Re: (Score:2)
Re: (Score:2)
I'd like to check my personal details please .... (Score:3, Interesting)
Re: (Score:2)
Date and place of birth? (Score:5, Funny)
My name? It's ... Barak Obama.......
And what is your date and place of birth?
= = = =
(Moderators: Google "Barack Obama citizenship conspiracy theories".)
Is mine there? How much did it go for? Only That?! (Score:4, Insightful)
Well then, I'd like it *back* please. I wasn't done using it yet. You can have it after I'm finished.
If he really wanted to do the right thing... (Score:5, Interesting)
... he'd notify the relative banks and get them to issue new cards to the card holders and then cancel the old account numbers.
Or isn't that something a police officer would not do?
Aren't the police supposed to help protect the public?
Re:If he really wanted to do the right thing... (Score:5, Informative)
I see that this is your first time visiting England.
The police are far too busy tracking down dangerous criminals [theregister.co.uk] to worry about your petty concerns.
Hmm... Who's that at the door at this hour? (Score:5, Funny)
Re:Hmm... Who's that at the door at this hour? (Score:5, Funny)
They're actually here to do two things -- kick ass and have tea and biscuits. As it happens, however, they're all out of tea and biscuits.
Prosecute for possesion of stolen property (Score:4, Insightful)
Re: (Score:2)
Here's how to stay safe (Score:4, Funny)
A discussion on morality. (Score:3, Insightful)
I'm interested in hearing people's thoughts on the morality of this sale. Sales like these are completely non-unique, with one prominent example being the credit score business in the United States. As far as I know, Americans are only entitled to know their credit score for free twice a year, and no more. Additionally, lenders don't provide any fair warning that a person's credit score is at risk; in fact, younger credit card owners are encouraged to use their credit cards as primary spending sources with sign-up incentives and looser overall operating conditions.
Personally, I think that it's completely immoral to charge people for knowing whether their most treasured assets are at risk. Just don't let CNN know about it; I really don't want to deal with a full work day of them discussing privacy breaches, credit card fraud and how this all impacts Obama and Michael Jackson. (He's still dead.)
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
Yanks are eligible for a free report once a year, from each of the three credit bureaus, so the smart ones of us space them out and get one at a time. www.annualcreditreport.com [annualcreditreport.com]. They don't give us the actual score, that varies by bureau and costs extra, just the report. It's meant to find inaccurate information. We also do get free reports (you have to request it) when credit is denied because of one of those bureaus.
I too ... (Score:4, Funny)
... have a database which, for a small fee, I will be happy to verify that your records are not contained therein.
I think we've just discovered the "4) ?????" step.
From one criminal to another. Arrest him. (Score:3, Informative)
Charge with possession with the intent to distribute. I see no difference if he we in possession of 100 kilos of cocaine. What's to stop him from selling peoples information on this list to the highest bidder? Who's going to police the policeman? HIS morals are already in question based on his actions here.
And if he used his own money to invest in this bullshit scheme, thought shit. He should have known better.
Laundered Data from the Internet. (Score:2)
Trouble is, unless it's a crim in the UK to possess that information (it's not one in the United States and at least most countries), charging him with possession with intent to distribute wouldn't stick; distribution of that information is likewise not a crime in the United States or most countries, so that wouldn't stick either. As for intent, well, it has to be proven, is difficult to prove, and the burden of that proof is on the prosecution.
There are a great many companies that have a great deal of PII on a lot of people, and they sell and trade it all the time? Legal? Yes. Should it be? Well, that's another question entirely.
Unless he uses that information to commit a crime, he's not doing anything illegal by having it, nor is he doing anything illegal to charge you a fee for telling you if he has info on your or not, and if so, what he has.
This database also happens to include information on doctors, lawyers, and policeman, which (much like the US) is probably not supposed to be in the public domain for Security reasons. I'd say that a possession charge should legally still stick.
Just because he obtained a copy of data obtained illegally(phishing) from the Internet doesn't make it any more legal than me downloading a copy of a recording artists MP3 song. Gathering stolen data "free" from the Internet is akin to calling laundered drug money
Ethics? Hello? UK? Anyone home? (Score:3, Interesting)
I realize this is going by the wayside and all that, but doesn't anyone in the UK police service get ethics training anymore? Let alone have some type of psych eval when they join like they do in Canada? Some serious ethical questions that should be raised not only by his service, but also by the crown.
Regardless of whether or not he retired from being a police officer or not, there's some things that don't go away when you retire. He's crossed a line, whether he realizes it yet or not. Then again, this being the UK, maybe I shouldn't be surprised, if this is commonplace for retired officers to pull stuff like this, it could be an example of how deep the rot actually goes in their entire system.
Re: (Score:3, Insightful)
Day 2: Racist indoctrination training.
Day 3: Brutality training.
Day 4: Smart-arse, holier than thou training.
Day 5: 10 minute test.
Lawyer... (Score:2)
Mr. Holder (interesting name) better get himself a lawyer, because if he has my info, I am going to hire one to get it purged from his db. It does not matter if there he thinks there is some "greater good" to having it. It's my info; he shouldn't have it. What if someone steals his precious DB? He's basically hung a shingle that says "hack me" at this point.
what's actually happening, and the law (Score:3, Informative)
Since there is not much info in TFA or the summary, here's some more.
Colin Holder was a Detective Sergeant with the Metropolitan Police for 33 years or so, and left in 2004. He now works in "security and investigations".
At some time he amassed "approximately 120 million personal records that have been phished/hacked and sold between criminals on the internet". Now he's offering a free summary of the information he has, and a £10 full listing, available once you verify your identity. £10 is also what you'd pay if you made a request under the Data Protection Act for the data he holds. Also, he's not storing the information you provide to do a lookup (which is name and either postal or email address) -- unless you buy the full version of a report, clearly. He also provides information on what he's doing, guidance on security, and an explanation of why, for instance, it's not necessarily helpful to victims for him to report the data loss to credit card companies.
More data on his site [lucidintelligence.com].
I think he's trying to offer a useful service, and does not intend this as a scam. It's even probably socially useful to be able to know if your data is "out there". But it's hard to see if it's legal under the Data Protection Act in the UK or equivalent legislation in any EU state - assuming the collection and processing of the data happened or happens in an EU jurisdiction.
The DPA requires data to be "fairly obtained" - there is lots of guidance on exactly what this means. He may try to argue that gathering such "freely (or criminally or commercially) available" data from the net, for the limited purpose of alerting the victims, is "fair". Good luck with that - I don't think there is any precedent for that, and the legal costs could exceed the £160K he's spent so far.
The DPA also limits how long the data can be held, and the uses to which it can be put -- it has to match the purposes for which it was gathered. It's an interesting question when this legal "collection" happened - whether it was the original collection from the victims (in some case legally), any intermediate hacking (unlikely), or the Mr Holder's scraping up exercise (in which case, how could there be consent to his "purposes"?).
One issue this highlights is that, if you ever allow an EU company to share your data, or ever give data to a non-EU company, there are no limits on what they can do with it. Your data is now an asset of the company, and they can change their T&C retroactively to allow whatever use they like. So can anyone who purchases the information, or who obtains it when the "owners" go bust.
You can see why it might be useful to know if your data is "out there", and even whether it is limited to commercial organisations, or crime / hacker networks.
Maybe a change in the law to allow that might be good -- on a carefully regulated basis, so the data is not just another tradeable asset!
IANAL, WMMV, yadda, yadda...
Re: (Score:2)
for a hacker to have that information on their computer. So how is it legal for a company to keep all of that information.
No. It is a crime to steal that information in the first place. And in some cases, having that information on your computer might be evidence that you've committed that crime. But that's not what happened here. He's collected information that's already been stolen, and is selling a potentially valuable service in letting people know they've been a victim of a crime so they can take steps to mitigate the damage.
Re:Isn't it a crime (Score:4, Insightful)
Yes... but HOW, exactly, has he collected this information? It appears to be by using all sorts of connections all over the world, who are providing him with data and using the time and money of the State or Nation that employs them.
That has got to be a crime. It had damn well better be a crime.
Re: (Score:2)
The pro-piracy folks around here say that copying isn't theft. I'd say that'd apply here too.
Re:Isn't it a crime (Score:5, Insightful)
The pro-piracy folks around here say that copying isn't theft. I'd say that'd apply here too.
Not just the pro-piracy folks. Although I'd like to see reform, I am in favour of copyright. Incorrectly defining terms makes sensible discussion of a topic difficult or even impossible.
This topic doesn't inflame the argument so much because there is not a substantial portion of people who want "identity theft" to be legal. Since there is no debate on whether it should be allowed or not, using an incorrect term doesn't highjack the argument into being propaganda for one side. Theft and stealing are terms commonly used to describe things that are not in fact theft. That's usually ok, but when discussing proposed changes to laws that affect the whose society it isn't. For example, I would regard MPAA equating copying a movie with stealing a car, repetitively making that connection in the absence of opposing argument to the general population (on DVDs) as tainting the jury pool.
A teenage girl might accuse another of "stealing" her boyfriend. No problem, until you start proposing laws to have boyfriend thieves charged with theft. At that point, it would be necessary to point out the differences and that "stealing" is not really an appropriate term for what happened. That's where we are with copyright right now. In identity theft cases, I'm not sure there is a word to properly describe it yet. It is usually done in order to commit fraud, but the harvesting of the identity info is only the first step and probably isn't fraud in and of itself. Although fraud and theft are different, common usage of theft includes fraud, so theft is perhaps the best word to use right now even though it isn't exactly correct.
Re: (Score:2)
I've got an idea!
let's make a new term for copying copywritten material!
We will call it STORROWING!
It's a mix of steal and borrowing, after all, we didn't really steal it, and we didn't really borrow it either.
Re: (Score:2)
Re:Ridiculous (Score:4, Interesting)