In a world where privacy is increasingly becoming a luxury, a recent investigation by 404 Media has revealed a disturbing trend. For as little as $15 in Bitcoin, a bot on the messaging app Telegram can provide a detailed dossier on any individual in the U.S., including their addresses, relatives’ information, mobile phone numbers, email addresses, and even driver’s license details. The bot can also offer Social Security numbers for an additional $5.
The source of this data appears to be the credit header information held by major credit bureaus such as Experian, Equifax, and TransUnion. This information, which is collected whenever someone applies for a credit card, is then sold to other companies, who in turn offer it to debt collectors, insurance companies, and law enforcement. However, it seems that criminals have found a way to tap into this data supply chain, sometimes by stealing the identities of former law enforcement officers. The tool tested by 404 Media has been used to gather information on high-profile targets such as Elon Musk, Joe Rogan, and President Joe Biden. The tool is advertised in chat rooms focused on swatting (placing bogus calls that result in a heavily armed police response to a specific location), SIM swapping (hackers taking over a victim’s phone number to receive login codes and break into their online accounts), and physical violence. The tool requires little to no technical sophistication to obtain a victim’s sensitive data, and it is exceedingly difficult for a user to opt out.
Senator Ron Wyden has stated that the government needs to stop these companies from packaging and selling personal information, and that senior executives prioritizing profit over national security and Americans’ safety should be punished. The credit bureaus play a crucial role in preventing fraud by holding onto people’s most sensitive personal information and using that to verify their identities. However, they have also realized the value of this data and have diversified its use. The Federal Trade Commission (FTC) defines credit header information as the portion of a consumer’s credit report that typically contains the person’s name, birth date, current and prior addresses, Social Security number, and telephone number. While credit reports themselves are limited to certain uses under the Fair Credit Reporting Act (FCRA), credit bureaus and data brokers generally believe credit header falls under a different piece of legislation: the Gramm-Leach-Bliley Act (GLBA).
This law allows the credit bureaus to sell credit header information to third parties under a set of use cases that are much broader than the full credit report. In February, a group of activist and legal organizations wrote to the Consumer Financial Protection Bureau (CFPB) about this legislative issue around credit header data. They argue that the bureaus’ interpretation of a 2011 FTC report, which they believe means they don’t have to treat credit header data with the same protections as a full credit report, is erroneous. At some point in this trickle down of data, criminals have found a way in. 404 Media accessed around 10 Telegram groups where members discuss and advertise bots that offer personally identifiable data for sale. Prices fluctuate between around $15 and $40 depending on what type of data a customer wishes to buy. The exact data broker the criminals used to obtain data appears to have changed over time. In January, criminals were advertising access to a tool called TLOxp, owned by TransUnion.
More recent Telegram messages suggest the new wave of cybercriminal access to TLOxp was short-lived, before they moved onto other providers. TransUnion is aware of its brand recognition within the criminal underground. The company deploys various safeguards and protections to ensure its data is only used as legally permitted, but acknowledges that unauthorized parties do sometimes gain access. Other companies mentioned by the criminals, including Microbilt and another called LocatePlus, did not respond to requests for comment. Privacy and legal campaigners believe the solution is plugging the flow of credit header data at the bureaus. “We really believe that the real, fundamental problem is that this information is being bought and sold to begin with,” said Julie Mao, co-founder and deputy director of Just Futures Law. In March, the CFPB put out a request for information about data brokers, where organizations can write-in with their concerns about the trade of data.
Last week, the CFPB announced it was proposing new rules that would change the regulation of credit header data. Under those proposals, brokers would not be able to sell such data for targeted advertising, training AI, or to perpetrators of domestic violence. However, the entire process could still take a long time. Laura Rivera, policy counsel at Just Futures Law, believes the CFPB already has the power to combat the sale of credit header data. “We want the agency to act now, and not wait for a lengthy regulatory process to close the credit header data loophole,” she said. Experian stated that they thoroughly vet all clients and partners, and contractually require them to maintain high levels of commitment to the responsible use and security of data and uphold laws. Equifax did not respond to multiple requests for comment. Senator Wyden added that data brokers pose both a threat to U.S. national security and to Americans’ safety and privacy. “These unaccountable companies have recklessly sold Americans’ information to agents working for foreign governments and have enabled hackers to access and sell Americans’ personal information to anyone with a credit card.”