For those of us concerned about how private technology companies use our data, the last few weeks of 2013 provided a couple of “I told you so” moments.
A white glove hacker group exploited a well-known security flaw in supposedly ultra-secure Snapchat to dump 4.6 million Snapchat usernames and associated phone numbers on the Internet. Meanwhile, Target was hit by a mega exploit of its payment system allowing scam-hackers to siphon off credit and debit card info on 40 million people. The retailer then sat on the news for a few days, hoping no one would notice…
The horrible truth is that we’ve become desensitized to news of credit card heists, and are no longer surprised when our favorite apps and websites play loose with our information. It’s become an expected part of Surveillance Valley’s corporate culture: pay lip service to security while selling people’s most intimate data to the highest bidder — be they governments, predatory corporations, or notorious identity thieves.
Perhaps no Surveillance Valley sector exemplifies this mindset better than the private intelligence (aka “data broker”) industry. It’s an industry that prides itself on data awareness and sells all types of security and fraud prevention services to governments and the world’s largest corporations. And yet, the industry is notoriously careless about security. As one expert told me, “A sophisticated criminal can pretty much get anything they want now.”
As I wrote last month, the data broker industry got its start in the 1970s with companies scouring public and corporate data — things like property records, voter registration, credit card transactions, product warranty cards, political contributions, and court documents — to compile targeted lists of businesses and consumers in order to improve the effectiveness of telemarketing.
There are thousands of data brokers operating today. The industry churns through somewhere around $200 billion in revenue annually. Together, these companies have detailed information on just about every adult in Europe and North America.
They comb every possible source of digital information: Internet activity is monitored and mined through cookies and third-party trackers; transaction records are bought in bulk from retailers and analyzed; public records and social networks are scoured and scraped. What kind of books did you read? What kind of prescription drugs did you buy? Make political contributions? Married? Pregnant? When’s your due date? Watch political documentaries or donate to environmental groups? Or maybe duck hunting shows are more your thing?
Some of the biggest data brokers — with names like Experian, Lexis-Nexis, Epsilon, Altegrity, and Acxiom — are publicly traded corporations worth billions of dollars.
And while they don’t like to publicize it, most of these multi-billion-dollar companies have had their data tapped and used by all kinds of scammers and fraudsters. Sure, sometimes that data comes via hackers, but most of the time there’s no law breaking at all: Data brokers pass your data to scammers for a fee… It’s all just a normal part of doing business.
Take Experian, one of the largest for-profit intel companies in the world. Experian has revenues of nearly $5 billion with 17,000 employees in 40 countries and claims to maintain files on over around 740 million people. The company provides all sorts of identity intel tools to businesses and governments: credit reports, debt collection, identity services, fraud prevention, and various data breach services. It even signed a contract with the federal government to provide “identity proofing” for President Obama’s health insurance exchange website.
Experian has been dogged by security scandals for years. Hackers made a sport of breaking into Experian employee accounts and siphoning off thousands of customers dossiers. Again, though, scammers don’t need to hack or break the law to get at Experian’s data.
In 2013, security expert Brian Krebs — the best and most talented reporter working the Silicon Valley security beat — discovered almost by chance that Experian had been selling files on hundreds of thousands of Americans to a notorious Vietnam-based scammer outfit called Superget.info.
That intel didn’t stay dormant. The cons behind Superget.info piped it back out into the world through various for-profit black-market intel portals, selling it scammers, identity thieves and shady Internet lurkers at rock bottom prices. Those looking for particular individuals were in luck: Superget.info was searchable by name! As the company boasted:
Our Databases are updated EVERY DAY. About 99% nearly 100% US people could be found, more than any sites on the internet now.
The records offered for sale by Superget.info included a person’s name, social security number, date of birth, email address and email password, mailing address, phone number, drivers license number, bank account and routing number, and employer’s name. These are known as “fulls” or “fullz” — online scammer slang for dossiers containing the basic intel necessary to take over someone’s financial identity.
As a federal indictment filed in late 2013 against the scammers behind Superget.info explained:
‘Fullz’ are frequently used by carders to take over the identity of a person in order to engage in various types of fraudulent activities, without the identity theft victim’s consent. These can include opening new financial accounts in the victim’s name and making fraudulent purchases on, or transfers of funds from, those accounts; taking out loans in the victim’s name; and filing fraudulent tax refund requests with the IRS on behalf of the victim.
Superget.info sold them for anywhere from 16 to 25 cents a pop, depending on volume. Payment was made through anonymous currencies like Liberty Reserve and WebMoney.
Experian boasts of strong security protocols and offers a host of fraud detection and prevention services to governments and large corporations. But apparently it didn’t take much for the Vietnamese scammers to get around Experian’s fraud firewall: All they had to do was present themselves as American private investigators and Experian simply took them at their word. The fact that these “American” private investigators paid for the data with wire transfers from Singapore didn’t raise alarms, and Experian continued to pipe out dossiers on hundreds of thousands of Americans for 1.5 years.
The federal indictment named one of the individuals behind Superget.info — a Vietnamese national named Hieu Minh Ngo — but it failed to mention where he obtained his information. Indeed, this question might have gone unanswered if a reader hadn’t tipped off Krebs that the formatting and headers of Superget.info’s data looked like it had come from a company called US Info Search (USIS), a medium-sized for-profit intel outfit that provides all sorts of background and screening services for governments and private companies.
Krebs dug further and found out that Experian got its hands on the data through Court Ventures, another private intel company that it had acquired in 2012 and which had a data-sharing agreement with USIS. Apparently it was Court Ventures that had started selling its files to Superget.info, but the relationship continued well after the company was absorbed by Experian.
In other words: Experian failed to perform due diligence. It simply took the business over, accepting payments and handing over data for another 1.5 years, only stopping when contacted by the Secret Service.
The thing to remember is that Experian isn’t some hapless mom-and-pop operation. It is one of the largest private data intelligence companies in the world — a company that positions itself as an expert in fraud prevention and security and data breaches.
Commenting on the humiliating, nearly constant data breaches suffered by the for-profit surveillance industry, Brian Krebs wrote:
The intrusions raise major questions about how these compromises may have aided identity thieves. The prevailing wisdom suggests that the attackers were going after these firms for the massive amounts of consumer and business data that they hold. While those data stores are certainly substantial, fraud experts say the really valuable stuff is in the data that these firms hold about consumer and business habits and practices.
Experian’s relationship with Superget.info provides a glimpse into the murky and shifty nature of the for-profit surveillance industry — a porous and unregulated landscape where unscrupulous businesses trade and sell sensitive information about our personal lives with anyone willing to pay for it, and have no problem letting that intel migrate to the darkest corners of the Internet.
Experian’s dealings with Superget.info are not an anomaly, but a normal part of the trade. Scammers are a lucrative source of revenue. And as I wrote a few weeks ago, there are plenty of examples of private intel outfits tailoring profile products specifically to fraud and con use — including companies selling lists of “gullible” pensioners who “want to believe that their luck can change” to financial scammers who then robbed some of these retirees of all they had.
As Royal Canadian Mounted Police Sergeant Yves Leblanc told the New York Times: “Only one kind of customer wants to buy lists of seniors interested in lotteries and sweepstakes: criminals. If someone advertises a list by saying it contains gullible or elderly people, it’s like putting out a sign saying ‘Thieves welcome here.’”
Chairman John D. (Jay) Rockefeller IV, who just finished up a landmark series of hearings on the for-profit intel industry, was also curious whether Experian had dealings with other potentially criminal organizations. In October, he sent Experian a letter asking the company to describe the procedures it uses to audit clients and demanded that it release a list of the companies it has sold its information to: “If these recent news accounts are accurate they raise serious questions about whether Experian as a company has appropriate practices in place for vetting its customers and sharing sensitive consumer data with them.”
Experian didn’t feel like answering. The company simply blew off Rockefeller’s request, and his Senate Commerce Committee was still waiting on Experian when it issued its final report in December 2013. In it, the committee noted with alarm that Experian and other for-profit intelligence companies had routinely refused to cooperate with the investigation into their business practices:
Data brokers operate behind a veil of secrecy. Three of the largest companies – Acxiom, Experian, and Epsilon – to date have been similarly secretive with the Committee with respect to their practices, refusing to identify the specific sources of their data or the customers who purchase it. … The refusal by several major data broker companies to provide the Committee complete responses regarding data sources and customers only reinforces the aura of secrecy surrounding the industry.
All of this — the underhand gathering of data on millions of Americans; the use of that data to deny goods, services, and healthcare; the refusal to cooperate with Senate investigations… even the sale of our financial information to overseas scammers for use in identity theft — would alarm most people. In particular one would expect an outcry from the journalists who bring us daily reports into the government’s invasions of our privacy.
And yet, much as NSA whistleblower Edward Snowden himself said that corporate spying wasn’t a problem because “Twitter doesn’t put warheads on foreheads,” so his loudest supporters parrot that same line.
In response to those concerned about the Target data breach, journalism commentator Jay Rosen — recently hired by Pierre Omidyar’s “First Look Media” — took to Twitter and scoffed:
I guess Greenwald has nothing to worry about, then, and he should just return home. His real nemesis is Target … Government can put you in jail, ruin you financially, take your property, and make you stateless. Target can target you.
That’s right, move along folks, nothing to see here.
Government spying = evil!
Corporate spying = hurray for the free market!
[Illustration by Hallie Bateman for Pando]