(Mint Press) – The credit bureau Equifax has confirmed Tuesday that identity thieves have stolen credit reports from AnnualCreditReport.com. The criminals now potentially have personally-identifiable information on up to 200 million Americans.
Among the individuals that had their personal information stolen are First Lady Michelle Obama, Vice-President Joe Biden, FBI Director Robert Mueller, Los Angeles Police Department (LAPD) Chief Charlie Beck, Beyonce, Ashton Kutcher and Jay-Z.
While some of the information obtained is out of date, much of it — such as dates of birth and social security numbers — are still relevant. This information is being sold on a website with a Soviet Union “.su” domain name.
The Federal Bureau of Investigation (FBI) and the Secret Service are actively investigating the theft. The LAPD is also investigating, as many of the celebrities involved live in Los Angeles, as does Chief Beck.
Entertainment website TMZ first reported that a site posting the stolen information was found online Monday. The site is currently still online as of the publication of this article.
“Equifax can confirm that fraudulent and unauthorized access to four consumer credit reports has occurred through the AnnualCreditReport.com channel, a free public service that allows all consumers to get annual access to their credit report,” the company said in a statement.
“Our initial investigation shows the perpetrators had the (personal information) of the individuals whose files were accessed and were therefore able to pass the required authentication measures in place,” the statement continued. “We have launched a full investigation into this matter and we are also working closely with law enforcement authorities on this matter.”
TransUnion, who co-owns AnnualCreditReport.com with Equifax and Experian, reports that their systems were not hacked or compromised.
“The sophisticated perpetrators of these fraudulent activities had considerable amounts of information about the victims, including Social Security numbers and other sensitive, personal identifying information that enabled them to successfully impersonate the victims over the Internet in order to illegally and fraudulently access their credit reports. TransUnion is taking steps to assist the individuals affected to help minimize any potential impact. We are conducting our own internal investigation and working closely with law enforcement.”
Experian had also confirmed that its systems were not hacked; according to the company, “this looks to be an isolated situation.”
According to the Consumer Financial Protection Bureau, 16 million consumers use AnnuaCreditReport.com annually. Federal legislation mandates that the major credit bureaus offer one credit report to consumers for free; AnnualCreditReport.com is a collaboration by TransUnion, Experian and Equifax to meet this requirement.
AnnualCreditReport.com used verification questions that are not “out-of-wallet” to verify identity in order to access credit reports. These verification questions include questions about bank accounts, mortgages, former addresses, education, and other topics that would be mentioned on a credit report, but wouldn’t be available to someone that stole a person’s wallet. The criminals that stole this information also had access to this secondary information — some of which can be purchased from data brokers such as Intellus.com and BeenVerified.com.
AnnualCreditReport.com and other credit report providors share answers for these verification questions and use multiple choice. It is possible to steal a report by “brute force” or by guessing on these verification questions until the right answer is given. The key to doing this is requesting the same report from multiple sources at the same time and running through the available answers to the challenge question.
The growth of online identity theft
Internet security firm CloudEyez.com pointed out to NBC News that “people with good credit and a net worth now have a bull’s-eye on their backs.” New markets — many with the domain of the Soviet Union, .su — are openly advertising the ready availability of credit reports and how easy it is for them to infiltrate websites such as AnnualCreditReport.com and CreditReport.com.
“I’m selling super prime credit reports and scores which include all 3 bureaus and other information,” states an advertisement on one site.
“We really have no idea how many reports have been used or put up for sale in the ‘libraries,'” said Dan Clements, head of CloudEyez.com.
“You currently can’t stop this scam because the ‘soft inquiry’ of a consumer pulling their own report doesn’t record in the majority of credit files,” Clements said, explaining that a consumer would never know if a criminal pulled a copy of their report. “Unfortunately, it allows the bad guys, by impersonating you, to download your credit file and leave no tracks.”
The Federal Trade Commission has indicated that approximately 12.6 million Americans have been victimized by identity theft in 2012, approximately 1 million more than in 2011. A large percentage of this increase was driven by more serious forms of ID theft, such as new account fraud — in which a thief would use stolen information to open a new credit card or line of credit. New account fraud has jumped 50 percent from last year, with total fraud loss doubling to about $10 billion.
Credit card fraud, however still constitutes more than two-thirds of all identity fraud cases. On average, it takes about 11 hours to correct a credit fraud disruption. On the other hand, “account-takeover” fraud victims — in which a new or existing account has been taken over in the victim’s name — have their lives “severely impacted,” requiring an average of 37 hours to resolve these issues.
“Even in an age of cyber espionage and advanced targeted attacks, good old-fashioned consumer identity theft continues to escalate,” security consultant Avivah Litan said. “It’s highly unfortunate that even after all this time and effort by banks regulators high tech entrepreneurs and law enforcement that the bad guys are still coming out ahead. It’s high time that we put more intelligent efforts into winning this cyberwar, whether it’s against amateur identity thieves or foreign infiltrators.”