40 Million Identities Up For Sale On the Web

An anonymous reader writes "Highly sensitive financial information, including credit card details, bank account numbers, telephone numbers, and even PINs are available to the highest bidder. The information being traded on the Web has been intercepted by a British company and collated into a single database for the first time. The Lucid Intelligence database contains the records of 40 million people worldwide, mostly Americans; four million are Britons. Security experts described the database as the largest of its kind in the world. The database is in the hands of Colin Holder, a retired senior Metropolitan police officer who served on the fraud squad. He has collected the information over the past four years. His sources include law enforcement from around the world, such as British police and the FBI, anti-phishing and hacking campaigners, and members of the public. Mr. Holder said he has invested £160,000 in the venture so far. He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."

one, please

[tverbeek]

I'll take one. I've been meaning to get a life.

Look up our own information, huh?

[CorporateSuit]

Hello. My name is Mr. Burns. I believe you have some info for me.
Ok Mr. Burns, what's your first name?
I... don't know....

Re:Look up our own information, huh?

[meuhlavache]

Welcome into our huge database!

To check if you are on our database please fill some informations:

Type your name/surname: *tip tip tip tip*
Type your credit card number: *tip tip tip tip tip tip tip tip tip*
Type your phone number: *tip tip tip*
Type your social security number: *tip tip tip tip tip tip tip tip tip*
[...]
Press Ok right now.

... Loading...

Sorry, you were not on our database... Fixed that!

splitting hairs

[tverbeek]

"He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."

How, exactly, does this differ from extortion?

Re:splitting hairs

[ImNotAtWork]

Extortion is threatening to use the information against you or leaking it even more if you do not pay. The company is not doing this. The company is saying this is what I have come across during my travels... If you want to know what I know about you then pay up, you are not obligated to do so. Kind of like those for pay credit score reports. (I know you don't have to pay for the credit report.. but the credit score is a different matter.)
I am in no way defending the practice.

Re:splitting hairs

[maxwell+demon]

So if I buy some stolen goods from a thief and then sell that stuff back to the original owners, then I'm fine because I'm not the one who has stolen the stuff? I don't think so.
So why is this case different?

Re:splitting hairs

[FromellaSlob]

If this was a "post-retirement" project he's been working on, then it would be legal.

No it wouldn't. This guy has no legal basis to acquire or retain this data, he's in very serious breach of the UK Data Protection Act.

Re:splitting hairs

[FromellaSlob]

The UK DPA also requires that he have a legitimate reason to hold this data in the first place, which would be either a direct customer relationship, or a third party one like a credit reference agency (where the customer gives permission for the third party data-sharing as part of their credit applications). It also requires that he hold it for no longer than strictly necessary for the purposes of said business relationship. The law in question thankfully makes this an explicitly opt-in thing, outside of government no-one can legally collect your data without your permission and then require you to opt out.

Re:splitting hairs

[Civil_Disobedient]

a world in which it was a crime simply to possess certain information would be very scary

Uh, you do realize you already live in that world, right? Right?

So let me get this straight...

[FSWKU]

He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached.

So in order to find out if your personal information has been breached, you have to disclose said information AND pay a fee. Seems a little fishy to me. Isn't that how a lot of identity-theft scams operate in the first place? "Hey, your identity is at risk. Send us money and details and we'll check to see if you're a victim or not.........and.....YES...you are now a victim! Thank you for using Thieves-R-Us!"

Re:So let me get this straight...

[Eil]

So in order to find out if your personal information has been breached, you have to disclose said information AND pay a fee. Seems a little fishy to me.

More than a little fishy. I read this as, "British fraud officer leaves the force, collects the personal information of 40 million people from the black market and his buddies in law enforcement, and is now using it to make money. Oh, but it's not unethical this time because he used to be a policeman." If it was illegal for the phishers and fraudsters to have this ill-gained information, why is it not illegal for a former police officer to have it?

I know there are no privacy laws in Britain, but here in the U.S., I would hope that there's a law providing for the destruction of personal and/or financial details that were obtained illegally once they are no longer considered evidence in an ongoing prosecution.

Re:So let me get this straight...

[mcrbids]

It took me about 10 minutes to create this simple web-page would could conceivably be used to steal identifying information. It would take a few hours to add stuff like the ability to run credit cards, and simulate a faux "Your identity was not found".

This website was easy to make using a free template found online. With the exception of the target page for all the links, it would easily pass the "sniff test" for many people. It looks friendly! It's got a kid and a butterfly on it! The news stories are current! (copy/paste from google news for "Identity Theft") Feel free to check it out. Total time spent was about 10-15 minutes. (I purposefully put in a few spelling/grammar mistakes, just to exaggerate my point)

So I hack up a spam engine, log in via some open wifi hotspot, and I have a business overnight? ID theft is much, much easier than we all think. And we want to believe that this guy isn't also doing it?

1/10 of a cent per person

[seifried]

The scary part I think is that he amassed this data for roughly 1/10 of a cent per person in there. Good thing the bad guys aren't doing this. Oh wait....

Were you a victim of upskirt photography?

I have put together a database of upskirt photos collected from the internet. For a small fee you can peruse my collection and find out if you were a victim.

Re:Where does a cop get £160,000?

[russotto]

He's got backers, I think. Al Queda is a possibility, but I suspect it's actually SPECTRE.

Re:If he has my sensitive data...

[the+real+darkskye]

If you're in the UK then as long as the data isn't held securely by him then yes. The UK's data protection act requires that all information that can be used to personally identify an individual is held securely.

If you're in the UK you can also use the Freedom of Information act to request any information he's holding about you, but for that he can charge a nominal fee, which is how he's probably planning on making the money invested back.

A former member of the metropolitan police and corrupt? Don't colour me surprised.

Re:Where does a cop get £160,000?

[mccalli]

No, we did. We being British tax payers, of which I am one, who are currently funding his pension. We're also funding the British police too, mentioned in the article as one of his sources. It follows then that we funded his career in the Met as well.

And now the git wants us to pay for stolen information, obtained from publicly funded sources utilising his publicly funded connections to acquire. Whatever his previous achievements in the Met may or may not have been, now he is simply a slimy scammer trading in stolen goods. The man is a disgrace.

Cheers,
Ian

ur doin it wrong

[interkin3tic]

I have put together a database of upskirt photos collected from the internet. For a small fee and a reference upskirt picture you can peruse my collection and find out if you were a victim.

fixed that for you

Re:Where does a cop get £160,000?

[Beardo+the+Bearded]

It's easy to access. All you have to do is email him your name and credit card info and ... ... wait a minute.

The answer is always "yes."

[zippthorne]

It's far more brilliant.

You must give him some information about yourself to determine if you're in the database, non? Information that includes your credit card numbers, perhaps. Where do you think that data goes, I wonder.

Is mine there? How much did it go for? Only That?!

[gestalt_n_pepper]

Well then, I'd like it *back* please. I wasn't done using it yet. You can have it after I'm finished.

If he really wanted to do the right thing...

[3seas]

... he'd notify the relative banks and get them to issue new cards to the card holders and then cancel the old account numbers.

Or isn't that something a police officer would not do?

Aren't the police supposed to help protect the public?

Re:If he really wanted to do the right thing...

[Minwee]

Aren't the police supposed to help protect the public?

I see that this is your first time visiting England.

The police are far too busy tracking down dangerous criminals to worry about your petty concerns.

Hmm... Who's that at the door at this hour?

[Zantetsuken]

Well I'll be, its Scotland Yard and a squad of SAS coming for tea and biscuts! What? They say they're not visiting for tea and biscuts?

Re:Hmm... Who's that at the door at this hour?

[commodoresloat]

They're actually here to do two things -- kick ass and have tea and biscuits. As it happens, however, they're all out of tea and biscuits.

Re:Isn't it a crime

[owlnation]

"He's collected information that's already been stolen"

Yes... but HOW, exactly, has he collected this information? It appears to be by using all sorts of connections all over the world, who are providing him with data and using the time and money of the State or Nation that employs them.

That has got to be a crime. It had damn well better be a crime.

Re:Where does a cop get £160,000?

Actually, under the Data Protection Act he isn't allowed to hold that database at all. This will end very badly for him.

Prosecute for possesion of stolen property

[Bob_Who]

Lets be fair, he's in possession of stolen property, and although he has turned himself into the authorities, the law applies to all criminals, no matter how they draw a pension. Perhaps the blokes that raid private events based on facebook tags should try the swat team or bomb squad and put a stop to extortion and misuse of public authority. Its looking like a gang related organized crime syndicate, or perhaps its all a coincidence or just an invitation for the blue hats to hack his target rich database. Good thing he's armed with a mace and a night stick. That way he can defend the 40 million people who he feels each owe him .000567 in order to recoup expenses for obtaining stolen ID's.

Date and place of birth?

[Ungrounded+Lightning]

My name? It's ... Barak Obama.......

And what is your date and place of birth?

= = = =

(Moderators: Google "Barack Obama citizenship conspiracy theories".)

Re:Where does a cop get £160,000?

[BitZtream]

Like ... actually having the information in the first place without permission of the owners of the data. The only legal thing he can do with it is destroy it.

I certainly have not authorized him to use my information.

Here's how to stay safe

[butabozuhi]

Go to Google (or Yahoo or Bing) and type in your full social security number. Hit ENTER. If you find your number online, you're a victim of identity theft! If you don't find your number online...just wait a few days as you just sent it clear-text for the whole world to see. Yeeeeehah!

I too ...

[PPH]

... have a database which, for a small fee, I will be happy to verify that your records are not contained therein.

I think we've just discovered the "4) ?????" step.

Re:Isn't it a crime

[rohan972]

The pro-piracy folks around here say that copying isn't theft. I'd say that'd apply here too.

Not just the pro-piracy folks. Although I'd like to see reform, I am in favour of copyright. Incorrectly defining terms makes sensible discussion of a topic difficult or even impossible.

This topic doesn't inflame the argument so much because there is not a substantial portion of people who want "identity theft" to be legal. Since there is no debate on whether it should be allowed or not, using an incorrect term doesn't highjack the argument into being propaganda for one side. Theft and stealing are terms commonly used to describe things that are not in fact theft. That's usually ok, but when discussing proposed changes to laws that affect the whose society it isn't. For example, I would regard MPAA equating copying a movie with stealing a car, repetitively making that connection in the absence of opposing argument to the general population (on DVDs) as tainting the jury pool.

A teenage girl might accuse another of "stealing" her boyfriend. No problem, until you start proposing laws to have boyfriend thieves charged with theft. At that point, it would be necessary to point out the differences and that "stealing" is not really an appropriate term for what happened. That's where we are with copyright right now. In identity theft cases, I'm not sure there is a word to properly describe it yet. It is usually done in order to commit fraud, but the harvesting of the identity info is only the first step and probably isn't fraud in and of itself. Although fraud and theft are different, common usage of theft includes fraud, so theft is perhaps the best word to use right now even though it isn't exactly correct.

Re:Where does a cop get £160,000?

[plover]

now he is simply a slimy scammer trading in stolen goods. The man is a disgrace.

Or possibly an MP.

Same thing.

Re:Ridiculous

[sbeckstead]

I got mine stolen by using my teller card in a machine in Orange County California. I've never actually had it stolen on line. Always by physical means.

Privacy laws in the UK

[Anonymous+Brave+Guy]

I know there are no privacy laws in Britain

Erm... Yes, there are.

If this is what it appears to be, it's a fairly obvious breach of the Data Protection Acts. Indeed, from the TFA:

The Information Commissioner, the data protection watchdog, is monitoring the development of the database. [...] The legality of the database could be put to the test in the coming week. The Information Commissioner's Office said it could not endorse a commercial service or make a ruling on its validity unless someone made a complaint. But the privacy watchdog said it had "provided advice to help the company comply with the principles of the Data Protection Act".

I rather suspect that this advice may have been "Stop. Now." :-)

The database might also fall foul of European human rights legislation that explicitly covers privacy.

Re:Where does a cop get £160,000?

[Derosian]

Actually in the US using police or federal services for personal use as an officer is a felony, thus if this guy was an American police officer he would be arrested and all his information would be confiscated as evidence for his trial.

Re:Where does a cop get £160,000?

[siloko]

This will end very badly for him.

Yes because here in the UK we always punish our criminally inclined police . . .