Identity theft is big business. According to Statistic Brain:
- Average number of U.S. identity fraud victims annually, 11,571,900
- Percent of U.S. households that reported some type of identity fraud, 7%
- Average financial loss per identity theft incident, $4,930
- Total financial loss attributed to identity theft in 2013, $21 billion
- Misuse of Existing Credit Card, 64.1%
- Misuse of Other Existing Bank Account, 35%
- Misuse of Personal Information, 14.2%
But how do the bad guys get the data to pull off these crimes? It turns out that it's really very easy and one of the sources they use has been, in at least one known case, a consumer credit reporting companies
If you, like me, have always been concerned that the consumer credit reporting companies, which includes Experian, TransUnion, Equifax, PRBC, and Innovis, know way too much about us and are simultaneously inadequately regulated and way too casual about our personal data then the following tale will come as no surprise other than the surprise that comes from realizing that as bad as you thought things were, they are, in reality, far worse.
An identity theft service that sold Social Security and drivers license numbers - as well as bank account and credit card data on millions of Americans - purchased much of its data from Experian, one of the three major credit bureaus ...
Brian's research revealed that the outfit Experian sold its consumer data to was Superget.info, an online service that is, as Brian calls it, "fraudster-friendly" and allows anyone to look up social security numbers, birthdays, addresses, phone numbers, mother's maiden name, and so on for very low prices making it ridiculously easy for scammers and identity thieves to operate.
The actual tale of how superget.info got access to Experian's data is somewhat complex but reveals that Experian didn't perform due diligence in the acquisition and operations of another company, Court Ventures, which, in turn, didn't check the bona fides of a company posing as a private investigator.
In short, despite the US Secret Service investigating Experian with a grand jury subpoena as well as arresting the man behind superget.info and other related sites along with the FTC issuing subpoenas to nine data brokers, it's pretty much certain that little if nothing will change in the legal landscape that defines the consumer credit reporting industry.
What will it take to get any change? Maybe the European Union needs to get involved though I have no idea how. What's more-or-less certain is that we, the people whose personal data the consumer credit reporting agencies make money from, are never going to have the political will to force change. Brace yourself, it could be your identity that gets stolen next.
Big tip o' the deerstalker to Brian Krebs for great investigative reporting.