Celebrity credit reports posted by ID thieves taken from free website

Government-mandated website abused to access sensitive credit reports.

by Dan Goodin - Mar 12 2013, 11:10pm EDT    http://arstechnica.com/security/2013/03/celebrity-credit-reports-posted-by-id-thieves-taken-from-free-website/

exposed.su

Details from some of the famous identity-theft victims whose personal information was mysteriously published online were fraudulently obtained from a government-mandated website designed to make it easy for consumers to access their credit reports, credit agency officials said.
At least four of the high-profile celebrities and political figures—who include Vice President Joe Biden, FBI Director Robert Mueller, Attorney General Eric Holder, and rap star Jay Z—were "accessed inappropriately" from annualcreditreport.com, a spokesman for credit agency Equifax told Ars. The site allows consumers to obtain a free copy of their credit reports by entering their birth dates, Social Security numbers, and home addresses and then answering several multiple-choice questions involving previous addresses, mortgages or loans taken out, and similar types of information. Once someone provides the correct answers, he gets access to a report providing a wealth of additional personal information, including loan and mortgage details, phone numbers, and previous addresses.
"What it appears happened is that personal identifiable information was evidently accessed or somehow obtained by the fraudsters who therefore were able to go into annualcreditreport.com and get some pieces of information on some individuals," Equifax spokesman Tim Klein said in an interview. "It's four individuals that we can confirm that were accessed inappropriately by fraudsters by going through annualcreditreport.com and procuring some information off their Equifax credit report."
Klein declined to name the specific individuals whose information was fraudulently obtained. But he did confirm to Ars that all four were among the 20 people whose sensitive personal information was posted on the exposed.su website that surfaced on Monday.
Statements issued by the other two credit agencies, TransUnion and Experian, reported similar compromises. TransUnion said perpetrators used "considerable amounts of information about the victims, including Social Security numbers and other sensitive, personal identifying information that enabled them to successfully impersonate the victims over the Internet in order to illegally and fraudulently access their credit reports." For its part, Experian said "criminals accessed personal credential information through various outside sources, which provided them with sufficient information to illegally access a limited number of individual reports from some US credit reporting agencies." Neither agency said how many individuals were compromised or confirmed that they were the same celebrities and political figures whose details were aired on the exposed.su.

No previous experience required

TransUnion portrayed the perpetrators as "sophisticated," but in an age of Internet search engines and social media, the level of skill required to illegally access someone else's data is shockingly low. Much of the information the credit agencies use to confirm visitors' identities—for instance the street or county of a former address or the year a home mortgage was obtained—is readily available or at least inferred online. Further opening the process to fraud, questions are frequently repeated from agency to agency and are asked in multiple-choice fashion. If a someone tries and fails to abuse annualcreditreport.com to access someone's credit report from Experian, for instance, he can start over and try to use annualcreditreport.com to access the same person's credit report from TransUnion and Equifax. Since all three agencies ask many of the same questions, criminals increase their chances of success with each attempt.
"You sometimes will get the same question when you go to a different entity," said Dan Clements, team member CloudEyz.com, a virtual lost and found service. The take-away, he said: Once identity thieves know someone's Social Security number and birth date, obtaining a credit report is largely a guessing game.
Exposed.su surfaced on Monday with the personal information of a handful of household names, including the credit reports of Jay Z and socialite Kim Kardashian. In the 36 hours since then, the roster of high-profile identity theft victims has grown. At time of writing it included 20 individuals. In addition to those named above, they included First Lady Michelle Obama; former Vice President Al Gore; former vice presidential candidate Sarah Palin; former Secretary of State Hillary Clinton; Los Angeles Police Chief Charlie Beck; former California Governor Arnold Schwarzenegger; actor and director Mel Gibson; actor Ashton Kutcher; businessman Donald Trump; former wrestler Hulk Hogan; pop singers Kanye West, Beyonce, and Britney Spears; and socialites Kris Jenner and Paris Hilton.
In the past, the measures the credit agencies took to confirm the identities of people accessing their free credit reports may have been adequate. But in an age of Twitter, Facebook, and Google, those measures are clearly outdated. It may be possible that the people who used annualcreditreport.com to illegally access information in credit databases were sophisticated. But there's just as good a chance they were astute social networkers who got lucky.
Story updated to correct Michelle Obama's title.