Slashdot Mirror

← Back to Stories (view on slashdot.org)

40 Million Identities Up For Sale On the Web

Posted by kdawson on from the big-fat-target dept.

An anonymous reader writes "Highly sensitive financial information, including credit card details, bank account numbers, telephone numbers, and even PINs are available to the highest bidder. The information being traded on the Web has been intercepted by a British company and collated into a single database for the first time. The Lucid Intelligence database contains the records of 40 million people worldwide, mostly Americans; four million are Britons. Security experts described the database as the largest of its kind in the world. The database is in the hands of Colin Holder, a retired senior Metropolitan police officer who served on the fraud squad. He has collected the information over the past four years. His sources include law enforcement from around the world, such as British police and the FBI, anti-phishing and hacking campaigners, and members of the public. Mr. Holder said he has invested £160,000 in the venture so far. He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."

25 of 245 comments (clear)

  1. Where does a cop get £160,000? by winkydink · · Score: 2, Insightful

    He saved up?

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    1. Re:Where does a cop get £160,000? by mccalli · · Score: 5, Insightful

      No, we did. We being British tax payers, of which I am one, who are currently funding his pension. We're also funding the British police too, mentioned in the article as one of his sources. It follows then that we funded his career in the Met as well.

      And now the git wants us to pay for stolen information, obtained from publicly funded sources utilising his publicly funded connections to acquire. Whatever his previous achievements in the Met may or may not have been, now he is simply a slimy scammer trading in stolen goods. The man is a disgrace.

      Cheers,
      Ian

    2. Re:Where does a cop get £160,000? by BikeHelmet · · Score: 2, Insightful

      It's his right to do whatever he wants with his pension. If he wants to create a database of stolen identities, he can do that. And if he asks for payment to see if you are inside it, he can also do that.

      He just can't do anything nefarious or illegal with it.

    3. Re:Where does a cop get £160,000? by BitZtream · · Score: 5, Insightful

      Like ... actually having the information in the first place without permission of the owners of the data. The only legal thing he can do with it is destroy it.

      I certainly have not authorized him to use my information.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    4. Re:Where does a cop get £160,000? by Kalriath · · Score: 2, Insightful

      Oh, it's illegal all right. In many countries. Just because the US government doesn't give a crap about privacy, doesn't mean other countries don't.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  2. Isn't it a crime by Anonymous Coward · · Score: 1, Insightful

    for a hacker to have that information on their computer. So how is it legal for a company to keep all of that information. Not to mention making the company publicly known will make it a huge target for hackers as now every single person knows that if they get in there is 40 million identies they can have.

    Seems to me that legally it should be shut down and every single person in the database be informed that their identiy has been stolen. . . twice it would seem.

    1. Re:Isn't it a crime by owlnation · · Score: 3, Insightful

      "He's collected information that's already been stolen"

      Yes... but HOW, exactly, has he collected this information? It appears to be by using all sorts of connections all over the world, who are providing him with data and using the time and money of the State or Nation that employs them.

      That has got to be a crime. It had damn well better be a crime.

    2. Re:Isn't it a crime by rohan972 · · Score: 5, Insightful

      The pro-piracy folks around here say that copying isn't theft. I'd say that'd apply here too.

      Not just the pro-piracy folks. Although I'd like to see reform, I am in favour of copyright. Incorrectly defining terms makes sensible discussion of a topic difficult or even impossible.

      This topic doesn't inflame the argument so much because there is not a substantial portion of people who want "identity theft" to be legal. Since there is no debate on whether it should be allowed or not, using an incorrect term doesn't highjack the argument into being propaganda for one side. Theft and stealing are terms commonly used to describe things that are not in fact theft. That's usually ok, but when discussing proposed changes to laws that affect the whose society it isn't. For example, I would regard MPAA equating copying a movie with stealing a car, repetitively making that connection in the absence of opposing argument to the general population (on DVDs) as tainting the jury pool.

      A teenage girl might accuse another of "stealing" her boyfriend. No problem, until you start proposing laws to have boyfriend thieves charged with theft. At that point, it would be necessary to point out the differences and that "stealing" is not really an appropriate term for what happened. That's where we are with copyright right now. In identity theft cases, I'm not sure there is a word to properly describe it yet. It is usually done in order to commit fraud, but the harvesting of the identity info is only the first step and probably isn't fraud in and of itself. Although fraud and theft are different, common usage of theft includes fraud, so theft is perhaps the best word to use right now even though it isn't exactly correct.

      --
      http://marriedmansexlife.com/
  3. 1/10 of a cent per person by seifried · · Score: 3, Insightful

    The scary part I think is that he amassed this data for roughly 1/10 of a cent per person in there. Good thing the bad guys aren't doing this. Oh wait....

  4. Were you a victim of upskirt photography? by Anonymous Coward · · Score: 3, Insightful

    I have put together a database of upskirt photos collected from the internet. For a small fee you can peruse my collection and find out if you were a victim.

  5. Re:splitting hairs by BitterOak · · Score: 2, Insightful

    "He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."

    How, exactly, does this differ from extortion?

    Because he wasn't the one who stole the information in the first place. He's merely offering a service to let you know if you've been the victim of a crime. This is very valuable information, as it could prompt you to cancel credit cards, or change PIN numbers. He had to incur some expenses to acquire this information so why should he give it away for free? The criminals are the ones that stole the information in the first place.

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  6. Re:If he has my sensitive data... by the+real+darkskye · · Score: 4, Insightful

    If you're in the UK then as long as the data isn't held securely by him then yes. The UK's data protection act requires that all information that can be used to personally identify an individual is held securely.

    If you're in the UK you can also use the Freedom of Information act to request any information he's holding about you, but for that he can charge a nominal fee, which is how he's probably planning on making the money invested back.

    A former member of the metropolitan police and corrupt? Don't colour me surprised.

    --
    Music is everybody's possession.
    It's only publishers who think that people own it.
    Fuck Beta
    ~John Lenno
  7. Re:splitting hairs by ImNotAtWork · · Score: 4, Insightful

    Extortion is threatening to use the information against you or leaking it even more if you do not pay. The company is not doing this. The company is saying this is what I have come across during my travels... If you want to know what I know about you then pay up, you are not obligated to do so. Kind of like those for pay credit score reports. (I know you don't have to pay for the credit report.. but the credit score is a different matter.)
    I am in no way defending the practice.

    --
    open source sub sim. I might start coding again for this. http://dangerdeep.sourceforge.net/contribute/
  8. Re:splitting hairs by maxwell+demon · · Score: 3, Insightful

    So if I buy some stolen goods from a thief and then sell that stuff back to the original owners, then I'm fine because I'm not the one who has stolen the stuff? I don't think so.
    So why is this case different?

    --
    The Tao of math: The numbers you can count are not the real numbers.
  9. Re:splitting hairs by CorporateSuit · · Score: 2, Insightful

    Because he wasn't the one who stole the information in the first place. He's merely offering a service to let you know if you've been the victim of a crime. This is very valuable information, as it could prompt you to cancel credit cards, or change PIN numbers. He had to incur some expenses to acquire this information so why should he give it away for free? The criminals are the ones that stole the information in the first place.

    That depends on when he acquired it, and the resources he used. If he acquired it on the job, or using government equipment and/or connections, then it's the government's information and he doesn't have the right to sell it. If this was a "post-retirement" project he's been working on, then it would be legal.

    --
    I am the richest astronaut ever to win the superbowl.
  10. Is mine there? How much did it go for? Only That?! by gestalt_n_pepper · · Score: 3, Insightful

    Well then, I'd like it *back* please. I wasn't done using it yet. You can have it after I'm finished.

    --
    Please do not read this sig. Thank you.
  11. Re:splitting hairs by FromellaSlob · · Score: 5, Insightful

    If this was a "post-retirement" project he's been working on, then it would be legal.

    No it wouldn't. This guy has no legal basis to acquire or retain this data, he's in very serious breach of the UK Data Protection Act.

  12. Prosecute for possesion of stolen property by Bob_Who · · Score: 4, Insightful

    Lets be fair, he's in possession of stolen property, and although he has turned himself into the authorities, the law applies to all criminals, no matter how they draw a pension. Perhaps the blokes that raid private events based on facebook tags should try the swat team or bomb squad and put a stop to extortion and misuse of public authority. Its looking like a gang related organized crime syndicate, or perhaps its all a coincidence or just an invitation for the blue hats to hack his target rich database. Good thing he's armed with a mace and a night stick. That way he can defend the 40 million people who he feels each owe him .000567 in order to recoup expenses for obtaining stolen ID's.

  13. A discussion on morality. by MrCrassic · · Score: 2, Insightful

    I'm interested in hearing people's thoughts on the morality of this sale. Sales like these are completely non-unique, with one prominent example being the credit score business in the United States. As far as I know, Americans are only entitled to know their credit score for free twice a year, and no more. Additionally, lenders don't provide any fair warning that a person's credit score is at risk; in fact, younger credit card owners are encouraged to use their credit cards as primary spending sources with sign-up incentives and looser overall operating conditions.

    Personally, I think that it's completely immoral to charge people for knowing whether their most treasured assets are at risk. Just don't let CNN know about it; I really don't want to deal with a full work day of them discussing privacy breaches, credit card fraud and how this all impacts Obama and Michael Jackson. (He's still dead.)

    1. Re:A discussion on morality. by socsoc · · Score: 2, Insightful

      Yanks are eligible for a free report once a year, from each of the three credit bureaus, so the smart ones of us space them out and get one at a time. www.annualcreditreport.com. They don't give us the actual score, that varies by bureau and costs extra, just the report. It's meant to find inaccurate information. We also do get free reports (you have to request it) when credit is denied because of one of those bureaus.

  14. Re:So let me get this straight... by Eil · · Score: 4, Insightful

    So in order to find out if your personal information has been breached, you have to disclose said information AND pay a fee. Seems a little fishy to me.

    More than a little fishy. I read this as, "British fraud officer leaves the force, collects the personal information of 40 million people from the black market and his buddies in law enforcement, and is now using it to make money. Oh, but it's not unethical this time because he used to be a policeman." If it was illegal for the phishers and fraudsters to have this ill-gained information, why is it not illegal for a former police officer to have it?

    I know there are no privacy laws in Britain, but here in the U.S., I would hope that there's a law providing for the destruction of personal and/or financial details that were obtained illegally once they are no longer considered evidence in an ongoing prosecution.

  15. Re:If he has my sensitive data... by plover · · Score: 2, Insightful

    The problem is that it's not very secure because there's a finite search space. If the database and system were illicitly copied, a dictionary attack (aka "preparing a rainbow table") would serve well to "unhash" most of the data in the database.

    There are only 60 million Britons, and you can probably get or guess a good share of their names. Input them into the hashing routine, and you get a hash: let's say that "JOHN SMYTHE" hashes to "abc123". Next, you generate the 100 million possible taxpayer identification numbers, and hash those: "111-22-33-444" hashes to "def456". Once you've built the rainbow tables, if you look in the database and find a row with "abc123 def456", you know that JOHN SMYTHE's taxpayer number is 111-22-33-444. You know everybody's taxpayer number.

    Salting the hashes makes the problem harder, but you can't salt an index value or it's unsearchable. So key columns are going to be unsalted. And what are likely to be the key columns? Name and TIN.

    Hashing only secures data when there is an infinite set of probable values. There is not an infinite set of names or TINs.

    --
    John
  16. Re:splitting hairs by L4t3r4lu5 · · Score: 2, Insightful

    Worse than that, isn't this just a big repository of valid identities, ripe for abuse by fraudsters?

    "Hi, my buddies and I would like to pool the information we have to check to see if we're on your list. My name is Mr Adams, and my friends names are: Taylor, Brown, Davis, Evans, Wilson, Thomas, Johnson, Roberts, Robinson, Thompson, Wright, Walker, White, Edwards, Hughes, Green, Hall, Harris, Lucas, and Price. Take your time, we want you to be thorough."

    --
    Finally had enough. Come see us over at https://soylentnews.org/
  17. Re:Ethics? Hello? UK? Anyone home? by Inda · · Score: 2, Insightful

    Day 1: Sense of humour removal training.
    Day 2: Racist indoctrination training.
    Day 3: Brutality training.
    Day 4: Smart-arse, holier than thou training.
    Day 5: 10 minute test.

    --
    This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
  18. So peddling stolen goods is legal now by OrangeMonkey11 · · Score: 2, Insightful

    Peddling stolen goods back to the public, so is this what retire cops do when they can no longer serve and protect the public. I thought possessing stolen goods and profiting from it is illegal, so how the hell is this former cop think it is ok for him.