Data Breaches involving millions of consumers are becoming commonplace but last week two researchers uncovered a massive database of very detailed consumer records with no clear owner. Hosted on a Microsoft cloud server, the data deals with 80 million households headed by Americans over the age of 40.
As reported in PC World, Fortune and elsewhere, security researchers Ran Locar and Noam Rotem of vpnMentor reported that the unencrypted data has no clear owner and despite their efforts to understand connections or draw conclusions about the nature of the database based on their analysis, there are no easy answers about its source. Perhaps the data is a compilation of data coming from multiple sources, but the data profile is consistent and, unfortunately, highly detailed, making is especially dangerous.
Detailed Consumer Profiles
Often a data breach contains data which is of limited use to criminals or to people trying to commit identity theft. For example, credit card transactions may allow a hacker to make additional false transactions but likely do not contain enough information to contact the consumer or apply for new credit cards or open new accounts. Unfortunately, the data contained in the data breach uncovered by Locar and Rotem is highly detailed and contains very useful personal information.
Data was based on households rather than individuals and appears to include full addresses including street, city, county, state and zip as well as longitude and latitude. Also, full names including first, last and middle initial. Finally, age and date of birth. Moreover, useful information such as title, gender, marital status, income homeowner status, dwelling type were also included. This information could be extremely useful to hackers looking to dissect and prioritize a database based on location, income or family status.
Social Engineering Targeting
While at first glance the absence of information like bank account, credit card or social security number might seem reassuring, the detailed family data is actually very frightening. The information contained in this database would allow criminals to both segment and exploit consumers in highly target manner. Without much sophistication, a criminal could target nearby households headed by solo female adults with young children, above a certain income who own their own homes. Using this information, a criminal could plan not only sophisticated deceptions but physical attacks and home invasions.
Similarly, a criminal could target likely wealthy retired people and attempt to use social engineering techniques to persuade them to reveal bank and account information based on knowledge of family and property information they already possess and can confirm to the consumer.
So, what should you do?
One of the themes in stories we have published recently is that the richness of data being exposed about consumers is increasing. As companies harvest increasing amounts of user data – both freely given and captured automatically without their knowledge such as location based and behavioral data, that information is being captured and stored in databases along with traditional information such as name and date of birth.
When that information is stored it is eventually breached and exposed whereupon it can be analyzed and exploited by criminals just as sophisticated as the legitimate companies who originally collected it. This allows for very sophisticated exploitation of consumers in ways that are far more dangerous than traditional identity theft purposes such as fraudulent credit card applications.
At MyProfyle, we believe this threat is further proof that everyone’s information is at risk from many different sources and that we are all exposed multiple times per year. The solution to identity fraud is not to try to lock your identity or seek unobtainable privacy but to control your identity – not just your credit – by putting yourself in the position know of, approve or decline activity conducted in your name. That’s MyProfyle Free For Life ™ Identity Protection.