40 Million Identities Up For Sale On the Web

An anonymous reader writes "Highly sensitive financial information, including credit card details, bank account numbers, telephone numbers, and even PINs are available to the highest bidder. The information being traded on the Web has been intercepted by a British company and collated into a single database for the first time. The Lucid Intelligence database contains the records of 40 million people worldwide, mostly Americans; four million are Britons. Security experts described the database as the largest of its kind in the world. The database is in the hands of Colin Holder, a retired senior Metropolitan police officer who served on the fraud squad. He has collected the information over the past four years. His sources include law enforcement from around the world, such as British police and the FBI, anti-phishing and hacking campaigners, and members of the public. Mr. Holder said he has invested £160,000 in the venture so far. He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."

Where does a cop get £160,000?

[winkydink]

He saved up?

Re:Where does a cop get £160,000?

[russotto]

He's got backers, I think. Al Queda is a possibility, but I suspect it's actually SPECTRE.

Re:Where does a cop get £160,000?

[mccalli]

No, we did. We being British tax payers, of which I am one, who are currently funding his pension. We're also funding the British police too, mentioned in the article as one of his sources. It follows then that we funded his career in the Met as well.

And now the git wants us to pay for stolen information, obtained from publicly funded sources utilising his publicly funded connections to acquire. Whatever his previous achievements in the Met may or may not have been, now he is simply a slimy scammer trading in stolen goods. The man is a disgrace.

Cheers,
Ian

Re:Where does a cop get £160,000?

[Beardo+the+Bearded]

It's easy to access. All you have to do is email him your name and credit card info and ... ... wait a minute.

Re:Where does a cop get £160,000?

[BikeHelmet]

It's his right to do whatever he wants with his pension. If he wants to create a database of stolen identities, he can do that. And if he asks for payment to see if you are inside it, he can also do that.

He just can't do anything nefarious or illegal with it.

Re:Where does a cop get £160,000?

Actually, under the Data Protection Act he isn't allowed to hold that database at all. This will end very badly for him.

Re:Where does a cop get £160,000?

[BitZtream]

Like ... actually having the information in the first place without permission of the owners of the data. The only legal thing he can do with it is destroy it.

I certainly have not authorized him to use my information.

Re:Where does a cop get £160,000?

[Kozar_The_Malignant]

now he is simply a slimy scammer trading in stolen goods. The man is a disgrace.

Or possibly an MP.

Re:Where does a cop get £160,000?

[plover]

now he is simply a slimy scammer trading in stolen goods. The man is a disgrace.

Or possibly an MP.

Same thing.

Re:Where does a cop get £160,000?

[Kalriath]

Oh, it's illegal all right. In many countries. Just because the US government doesn't give a crap about privacy, doesn't mean other countries don't.

Re:Where does a cop get £160,000?

[Derosian]

Actually in the US using police or federal services for personal use as an officer is a felony, thus if this guy was an American police officer he would be arrested and all his information would be confiscated as evidence for his trial.

Re:Where does a cop get £160,000?

[haifastudent]

Sounds like he may have taken the term "fraud squad" in the opposite of the way it is (ostensibly) intended...

You obviously are unfamiliar with what a "fireman" does to books.

Re:Where does a cop get £160,000?

[siloko]

This will end very badly for him.

Yes because here in the UK we always punish our criminally inclined police . . .

Re:Where does a cop get £160,000?

[sofar]

Actually, the US can have him extradited and convicted even if he didn't commit any act on US soil. Just look what happened to the UK hacker that got extradited, and the fellows who were claiming political asylum in the US for something they did outside the US.

Endangering the economic well-being of americans will likely not go unpunished, especially if amongst those are lobbyists, military personnel, etc.

one, please

[tverbeek]

I'll take one. I've been meaning to get a life.

Look up our own information, huh?

[CorporateSuit]

Hello. My name is Mr. Burns. I believe you have some info for me.
Ok Mr. Burns, what's your first name?
I... don't know....

Re:Look up our own information, huh?

[meuhlavache]

Welcome into our huge database!

To check if you are on our database please fill some informations:

Type your name/surname: *tip tip tip tip*
Type your credit card number: *tip tip tip tip tip tip tip tip tip*
Type your phone number: *tip tip tip*
Type your social security number: *tip tip tip tip tip tip tip tip tip*
[...]
Press Ok right now.

... Loading...

Sorry, you were not on our database... Fixed that!

splitting hairs

[tverbeek]

"He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."

How, exactly, does this differ from extortion?

Re:splitting hairs

[BitterOak]

"He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."

How, exactly, does this differ from extortion?

Because he wasn't the one who stole the information in the first place. He's merely offering a service to let you know if you've been the victim of a crime. This is very valuable information, as it could prompt you to cancel credit cards, or change PIN numbers. He had to incur some expenses to acquire this information so why should he give it away for free? The criminals are the ones that stole the information in the first place.

Re:splitting hairs

[ImNotAtWork]

Extortion is threatening to use the information against you or leaking it even more if you do not pay. The company is not doing this. The company is saying this is what I have come across during my travels... If you want to know what I know about you then pay up, you are not obligated to do so. Kind of like those for pay credit score reports. (I know you don't have to pay for the credit report.. but the credit score is a different matter.)
I am in no way defending the practice.

Re:splitting hairs

[maxwell+demon]

So if I buy some stolen goods from a thief and then sell that stuff back to the original owners, then I'm fine because I'm not the one who has stolen the stuff? I don't think so.
So why is this case different?

Re:splitting hairs

[CorporateSuit]

Because he wasn't the one who stole the information in the first place. He's merely offering a service to let you know if you've been the victim of a crime. This is very valuable information, as it could prompt you to cancel credit cards, or change PIN numbers. He had to incur some expenses to acquire this information so why should he give it away for free? The criminals are the ones that stole the information in the first place.

That depends on when he acquired it, and the resources he used. If he acquired it on the job, or using government equipment and/or connections, then it's the government's information and he doesn't have the right to sell it. If this was a "post-retirement" project he's been working on, then it would be legal.

Re:splitting hairs

[FromellaSlob]

If this was a "post-retirement" project he's been working on, then it would be legal.

No it wouldn't. This guy has no legal basis to acquire or retain this data, he's in very serious breach of the UK Data Protection Act.

Re:splitting hairs

[amicusNYCL]

No, you don't understand, that's not what this fine ex-cop is doing. It would be equivalent if you went around buying everyone's stolen goods, and then in order to recoup that cost, you charged people for the privilege of knowing whether or not their goods were stolen.

Re:splitting hairs

[Civil_Disobedient]

Yeah, I don't understand how even possessing that kind of database is legal, let alone trying to charge people for access to it.

I think this guy's business model needs some work.

Re:splitting hairs

[FromellaSlob]

The UK DPA also requires that he have a legitimate reason to hold this data in the first place, which would be either a direct customer relationship, or a third party one like a credit reference agency (where the customer gives permission for the third party data-sharing as part of their credit applications). It also requires that he hold it for no longer than strictly necessary for the purposes of said business relationship. The law in question thankfully makes this an explicitly opt-in thing, outside of government no-one can legally collect your data without your permission and then require you to opt out.

Re:splitting hairs

[Civil_Disobedient]

a world in which it was a crime simply to possess certain information would be very scary

Uh, you do realize you already live in that world, right? Right?

Re:splitting hairs

[L4t3r4lu5]

Worse than that, isn't this just a big repository of valid identities, ripe for abuse by fraudsters?

"Hi, my buddies and I would like to pool the information we have to check to see if we're on your list. My name is Mr Adams, and my friends names are: Taylor, Brown, Davis, Evans, Wilson, Thomas, Johnson, Roberts, Robinson, Thompson, Wright, Walker, White, Edwards, Hughes, Green, Hall, Harris, Lucas, and Price. Take your time, we want you to be thorough."

So let me get this straight...

[FSWKU]

He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached.

So in order to find out if your personal information has been breached, you have to disclose said information AND pay a fee. Seems a little fishy to me. Isn't that how a lot of identity-theft scams operate in the first place? "Hey, your identity is at risk. Send us money and details and we'll check to see if you're a victim or not.........and.....YES...you are now a victim! Thank you for using Thieves-R-Us!"

Re:So let me get this straight...

[Eil]

So in order to find out if your personal information has been breached, you have to disclose said information AND pay a fee. Seems a little fishy to me.

More than a little fishy. I read this as, "British fraud officer leaves the force, collects the personal information of 40 million people from the black market and his buddies in law enforcement, and is now using it to make money. Oh, but it's not unethical this time because he used to be a policeman." If it was illegal for the phishers and fraudsters to have this ill-gained information, why is it not illegal for a former police officer to have it?

I know there are no privacy laws in Britain, but here in the U.S., I would hope that there's a law providing for the destruction of personal and/or financial details that were obtained illegally once they are no longer considered evidence in an ongoing prosecution.

Re:So let me get this straight...

[mcrbids]

It took me about 10 minutes to create this simple web-page would could conceivably be used to steal identifying information. It would take a few hours to add stuff like the ability to run credit cards, and simulate a faux "Your identity was not found".

This website was easy to make using a free template found online. With the exception of the target page for all the links, it would easily pass the "sniff test" for many people. It looks friendly! It's got a kid and a butterfly on it! The news stories are current! (copy/paste from google news for "Identity Theft") Feel free to check it out. Total time spent was about 10-15 minutes. (I purposefully put in a few spelling/grammar mistakes, just to exaggerate my point)

So I hack up a spam engine, log in via some open wifi hotspot, and I have a business overnight? ID theft is much, much easier than we all think. And we want to believe that this guy isn't also doing it?

If he has my sensitive data...

[DreadfulGrape]

... can I then sue him for illegally possessing my sensitive data?

Re:If he has my sensitive data...

[the+real+darkskye]

If you're in the UK then as long as the data isn't held securely by him then yes. The UK's data protection act requires that all information that can be used to personally identify an individual is held securely.

If you're in the UK you can also use the Freedom of Information act to request any information he's holding about you, but for that he can charge a nominal fee, which is how he's probably planning on making the money invested back.

A former member of the metropolitan police and corrupt? Don't colour me surprised.

Re:If he has my sensitive data...

[plover]

The problem is that it's not very secure because there's a finite search space. If the database and system were illicitly copied, a dictionary attack (aka "preparing a rainbow table") would serve well to "unhash" most of the data in the database.

There are only 60 million Britons, and you can probably get or guess a good share of their names. Input them into the hashing routine, and you get a hash: let's say that "JOHN SMYTHE" hashes to "abc123". Next, you generate the 100 million possible taxpayer identification numbers, and hash those: "111-22-33-444" hashes to "def456". Once you've built the rainbow tables, if you look in the database and find a row with "abc123 def456", you know that JOHN SMYTHE's taxpayer number is 111-22-33-444. You know everybody's taxpayer number.

Salting the hashes makes the problem harder, but you can't salt an index value or it's unsearchable. So key columns are going to be unsalted. And what are likely to be the key columns? Name and TIN.

Hashing only secures data when there is an infinite set of probable values. There is not an infinite set of names or TINs.

1/10 of a cent per person

[seifried]

The scary part I think is that he amassed this data for roughly 1/10 of a cent per person in there. Good thing the bad guys aren't doing this. Oh wait....

Were you a victim of upskirt photography?

I have put together a database of upskirt photos collected from the internet. For a small fee you can peruse my collection and find out if you were a victim.

I'd like to check my personal details please ....

[whoever57]

My name? It's Bill Gates. Oh, no, it's Warren Buffet .... Barak Obama.......

ur doin it wrong

[interkin3tic]

I have put together a database of upskirt photos collected from the internet. For a small fee and a reference upskirt picture you can peruse my collection and find out if you were a victim.

fixed that for you

The answer is always "yes."

[zippthorne]

It's far more brilliant.

You must give him some information about yourself to determine if you're in the database, non? Information that includes your credit card numbers, perhaps. Where do you think that data goes, I wonder.

Is mine there? How much did it go for? Only That?!

[gestalt_n_pepper]

Well then, I'd like it *back* please. I wasn't done using it yet. You can have it after I'm finished.

If he really wanted to do the right thing...

[3seas]

... he'd notify the relative banks and get them to issue new cards to the card holders and then cancel the old account numbers.

Or isn't that something a police officer would not do?

Aren't the police supposed to help protect the public?

Re:If he really wanted to do the right thing...

[Minwee]

Aren't the police supposed to help protect the public?

I see that this is your first time visiting England.

The police are far too busy tracking down dangerous criminals to worry about your petty concerns.

Hmm... Who's that at the door at this hour?

[Zantetsuken]

Well I'll be, its Scotland Yard and a squad of SAS coming for tea and biscuts! What? They say they're not visiting for tea and biscuts?

Re:Hmm... Who's that at the door at this hour?

[commodoresloat]

They're actually here to do two things -- kick ass and have tea and biscuits. As it happens, however, they're all out of tea and biscuits.

Re:Isn't it a crime

[owlnation]

"He's collected information that's already been stolen"

Yes... but HOW, exactly, has he collected this information? It appears to be by using all sorts of connections all over the world, who are providing him with data and using the time and money of the State or Nation that employs them.

That has got to be a crime. It had damn well better be a crime.

Prosecute for possesion of stolen property

[Bob_Who]

Lets be fair, he's in possession of stolen property, and although he has turned himself into the authorities, the law applies to all criminals, no matter how they draw a pension. Perhaps the blokes that raid private events based on facebook tags should try the swat team or bomb squad and put a stop to extortion and misuse of public authority. Its looking like a gang related organized crime syndicate, or perhaps its all a coincidence or just an invitation for the blue hats to hack his target rich database. Good thing he's armed with a mace and a night stick. That way he can defend the 40 million people who he feels each owe him .000567 in order to recoup expenses for obtaining stolen ID's.

Date and place of birth?

[Ungrounded+Lightning]

My name? It's ... Barak Obama.......

And what is your date and place of birth?

= = = =

(Moderators: Google "Barack Obama citizenship conspiracy theories".)

Here's how to stay safe

[butabozuhi]

Go to Google (or Yahoo or Bing) and type in your full social security number. Hit ENTER. If you find your number online, you're a victim of identity theft! If you don't find your number online...just wait a few days as you just sent it clear-text for the whole world to see. Yeeeeehah!

A discussion on morality.

[MrCrassic]

I'm interested in hearing people's thoughts on the morality of this sale. Sales like these are completely non-unique, with one prominent example being the credit score business in the United States. As far as I know, Americans are only entitled to know their credit score for free twice a year, and no more. Additionally, lenders don't provide any fair warning that a person's credit score is at risk; in fact, younger credit card owners are encouraged to use their credit cards as primary spending sources with sign-up incentives and looser overall operating conditions.

Personally, I think that it's completely immoral to charge people for knowing whether their most treasured assets are at risk. Just don't let CNN know about it; I really don't want to deal with a full work day of them discussing privacy breaches, credit card fraud and how this all impacts Obama and Michael Jackson. (He's still dead.)

Re:A discussion on morality.

[dave562]

I thought that you were allowed to obtain your credit REPORT for free once or twice a year. The credit SCORE is considered proprietary information and therefore subject to a fee. I think it's a load of crap. If there was justice in the world, ANY information that ANYBODY uses as part of a process to determine how they interact with and treat you, should be freely available to you.

Re:A discussion on morality.

[socsoc]

Yanks are eligible for a free report once a year, from each of the three credit bureaus, so the smart ones of us space them out and get one at a time. www.annualcreditreport.com. They don't give us the actual score, that varies by bureau and costs extra, just the report. It's meant to find inaccurate information. We also do get free reports (you have to request it) when credit is denied because of one of those bureaus.

I too ...

[PPH]

... have a database which, for a small fee, I will be happy to verify that your records are not contained therein.

I think we've just discovered the "4) ?????" step.

Re:Isn't it a crime

[rohan972]

The pro-piracy folks around here say that copying isn't theft. I'd say that'd apply here too.

Not just the pro-piracy folks. Although I'd like to see reform, I am in favour of copyright. Incorrectly defining terms makes sensible discussion of a topic difficult or even impossible.

This topic doesn't inflame the argument so much because there is not a substantial portion of people who want "identity theft" to be legal. Since there is no debate on whether it should be allowed or not, using an incorrect term doesn't highjack the argument into being propaganda for one side. Theft and stealing are terms commonly used to describe things that are not in fact theft. That's usually ok, but when discussing proposed changes to laws that affect the whose society it isn't. For example, I would regard MPAA equating copying a movie with stealing a car, repetitively making that connection in the absence of opposing argument to the general population (on DVDs) as tainting the jury pool.

A teenage girl might accuse another of "stealing" her boyfriend. No problem, until you start proposing laws to have boyfriend thieves charged with theft. At that point, it would be necessary to point out the differences and that "stealing" is not really an appropriate term for what happened. That's where we are with copyright right now. In identity theft cases, I'm not sure there is a word to properly describe it yet. It is usually done in order to commit fraud, but the harvesting of the identity info is only the first step and probably isn't fraud in and of itself. Although fraud and theft are different, common usage of theft includes fraud, so theft is perhaps the best word to use right now even though it isn't exactly correct.

From one criminal to another. Arrest him.

[geekmux]

Charge with possession with the intent to distribute. I see no difference if he we in possession of 100 kilos of cocaine. What's to stop him from selling peoples information on this list to the highest bidder? Who's going to police the policeman? HIS morals are already in question based on his actions here.

And if he used his own money to invest in this bullshit scheme, thought shit. He should have known better.

Re:Ridiculous

[sbeckstead]

I got mine stolen by using my teller card in a machine in Orange County California. I've never actually had it stolen on line. Always by physical means.

Ethics? Hello? UK? Anyone home?

[Mashiki]

I realize this is going by the wayside and all that, but doesn't anyone in the UK police service get ethics training anymore? Let alone have some type of psych eval when they join like they do in Canada? Some serious ethical questions that should be raised not only by his service, but also by the crown.

Regardless of whether or not he retired from being a police officer or not, there's some things that don't go away when you retire. He's crossed a line, whether he realizes it yet or not. Then again, this being the UK, maybe I shouldn't be surprised, if this is commonplace for retired officers to pull stuff like this, it could be an example of how deep the rot actually goes in their entire system.

Re:Ethics? Hello? UK? Anyone home?

[Inda]

Day 1: Sense of humour removal training.
Day 2: Racist indoctrination training.
Day 3: Brutality training.
Day 4: Smart-arse, holier than thou training.
Day 5: 10 minute test.

Privacy laws in the UK

[Anonymous+Brave+Guy]

I know there are no privacy laws in Britain

Erm... Yes, there are.

If this is what it appears to be, it's a fairly obvious breach of the Data Protection Acts. Indeed, from the TFA:

The Information Commissioner, the data protection watchdog, is monitoring the development of the database. [...] The legality of the database could be put to the test in the coming week. The Information Commissioner's Office said it could not endorse a commercial service or make a ruling on its validity unless someone made a complaint. But the privacy watchdog said it had "provided advice to help the company comply with the principles of the Data Protection Act".

I rather suspect that this advice may have been "Stop. Now." :-)

The database might also fall foul of European human rights legislation that explicitly covers privacy.

So peddling stolen goods is legal now

[OrangeMonkey11]

Peddling stolen goods back to the public, so is this what retire cops do when they can no longer serve and protect the public. I thought possessing stolen goods and profiting from it is illegal, so how the hell is this former cop think it is ok for him.

what's actually happening, and the law

[feepcreature]

Since there is not much info in TFA or the summary, here's some more.

Colin Holder was a Detective Sergeant with the Metropolitan Police for 33 years or so, and left in 2004. He now works in "security and investigations".

At some time he amassed "approximately 120 million personal records that have been phished/hacked and sold between criminals on the internet". Now he's offering a free summary of the information he has, and a £10 full listing, available once you verify your identity. £10 is also what you'd pay if you made a request under the Data Protection Act for the data he holds. Also, he's not storing the information you provide to do a lookup (which is name and either postal or email address) -- unless you buy the full version of a report, clearly. He also provides information on what he's doing, guidance on security, and an explanation of why, for instance, it's not necessarily helpful to victims for him to report the data loss to credit card companies.

More data on his site.

I think he's trying to offer a useful service, and does not intend this as a scam. It's even probably socially useful to be able to know if your data is "out there". But it's hard to see if it's legal under the Data Protection Act in the UK or equivalent legislation in any EU state - assuming the collection and processing of the data happened or happens in an EU jurisdiction.

The DPA requires data to be "fairly obtained" - there is lots of guidance on exactly what this means. He may try to argue that gathering such "freely (or criminally or commercially) available" data from the net, for the limited purpose of alerting the victims, is "fair". Good luck with that - I don't think there is any precedent for that, and the legal costs could exceed the £160K he's spent so far.

The DPA also limits how long the data can be held, and the uses to which it can be put -- it has to match the purposes for which it was gathered. It's an interesting question when this legal "collection" happened - whether it was the original collection from the victims (in some case legally), any intermediate hacking (unlikely), or the Mr Holder's scraping up exercise (in which case, how could there be consent to his "purposes"?).

One issue this highlights is that, if you ever allow an EU company to share your data, or ever give data to a non-EU company, there are no limits on what they can do with it. Your data is now an asset of the company, and they can change their T&C retroactively to allow whatever use they like. So can anyone who purchases the information, or who obtains it when the "owners" go bust.

You can see why it might be useful to know if your data is "out there", and even whether it is limited to commercial organisations, or crime / hacker networks.

Maybe a change in the law to allow that might be good -- on a carefully regulated basis, so the data is not just another tradeable asset!

IANAL, WMMV, yadda, yadda...