Krebs on Security, a well-known security blog, just released the first part of a long technical series on how an online identity theft ring (SSNDOB) managed to gather its data. The source wasn't clumsy consumers; it was breached servers at three major data providers.
The compromised systems were located at LexisNexis, Kroll Background America, and Dun & Bradstreet. Hackers used undetectable malware to gain access to the companies' databases and sold hundreds of thousands of dollars worth of Social Security numbers, dates of birth, background checks and credit reports for more than 4 million Americans.
Among the reported victims: a long list of public figures including Beyonce, Kanye West, Jay Z, First Lady Michelle Obama, CIA Director John Brennan, and then-FBI Director Robert Mueller, according to the New York Daily News.
It was these high-profile reports, which were published online by hacker group UGnazi, which led to the discovery of the breach.
An initial analysis of the SSNDOB database only referred to DB1, DB2, etc. But after further digging into the network paths of the "botnet" computers, it appears two servers each at LexisNexis and Dun & Bradstreet were compromised, as well as Kroll Background America (a pre-employment background and drug screening company now owned by HireRight).
LexisNexis told Krebs that there was no evidence that customer or consumer data was actually breached. It also appears that someone using a misappropriated law student account accessed a number of background reports. LexisNexis maintains that the data accessed was only "unregulated public records information" and that the misappropriated account was terminated.
The real benefit to the hackers from the various reports obtained comes from "knowledge-based authentication," or KBAs. When a consumer tries to initiate a credit application, often questions like "What was your address three years ago in Virginia?" are asked. Background reports provide this information. LexisNexis also provides an KBA service for businesses.
A fraud analyst cited by Krebs said that KBAs are a dead means of verifying identity, as they are too easily compromised. Unfortunately, there is not yet a viable alternative.
- How LexisNexis and others may have unwittingly aided identity thieves (Ars Technica)
- Data brokers D&B, LexisNexis, Altegrity report cyber attacks (Reuters)
- Hackers Strike Again: Federal Reserve, Ex-President Bush Targeted (FindLaw's Technologist)
- ID Theft Claimed 12M Victims in 2012: Report (FindLaw's Injured)