GO
Loading...

Cybercrime: Hackers sell Social Security info

Monday, 30 Sep 2013 | 4:30 PM ET
Thomas Samson | AFP | Getty Images

Three large providers of online personal data confirmed to CNBC that they were victims of security breaches on Thursday. Cybersecurity expert Brian Krebs revealed the results of his seven-month investigation earlier in September, on his blog, KrebsonSecurity. He found that potential identity thieves purchased more than a million Social Security Numbers from a site he believes is responsible for the hacks.

Hackers targeted LexisNexis, Kroll Background America and Dun & Bradstreet.

LexisNexis, a provider of identity verifications and background checks, issued a statement confirming that it "identified an intrusion targeting our data." Altegrity's Kroll Background America, which provides employment background checks, said in its statement that its "web-hosting servers were infected with a malicious software program," or so-called malware. Similarly, D&B spokeswoman Michele Caselnova wrote in an email, "I can confirm that D&B was one of several victims of a cyberattack." D&B provides commercial and business information.

While the three data brokers confirmed the breaches, none would confirm that personal information was taken. LexisNexis, for its part, said in its statement that there was "no evidence that customer or consumer data were reached or retrieved." Kroll said in its statement that it is investigating the impact of the malware, and D&B would not comment on whether personal data was accessed.

Hack attacks like those that affected the three data brokers cost the United States at least $70 billion a year, according to a study by McAfee and the Center for Strategic and International Studies. Companies spent almost $1 billion in 2012 on insurance to cover their risks, according to the study.

The FBI confirmed that it is investigating the breaches. All three companies said they are working with authorities.

(Read more: US charges six in biggest credit card hack on record)

The five legal loopholes hackers are slipping through
CNBC's Scott Cohn reports that though hacking costs the U.S. at least $70 billion a year, many cybercrime laws have not been updated. Hacking America presents five legal loopholes that may give hackers a financial incentive.

Krebs, a former Washington Post reporter, connected these breaches to SSNDOB.ms, referred to as SSNDOB. This website sold personal information, including Social Security numbers and dates of birth. SSNDOB was known for its reliability on identity theft forums, according to Krebs.

According to Krebs, unknown hackers attacked SSNBOD this summer, and published its data logs. Krebs analyzed the logs to find where SSNDOB was getting its information, finding two hacked servers at LexisNexis, two compromised systems at D&B and one compromised system at Kroll. Compromised systems are part of a company's network that has been breached by hackers.

CNBC has been unable to contact SSNDOB for comment because the site is down.

These hacks fueled SSNDOB, where anyone, including cybercriminals, was able to purchase Social Security numbers, birth dates and credit checks, among other personal information. The data were sold at prices ranging from 50 cents to $15. SSNDOB even took cybercurrency, such as bitcoin and WebMoney. All together, the site raised $50,000 to $70,000 a month, according to Krebs.

While Krebs could not pinpoint the exact number of people affected, he did find that SSNDOB sold 1.02 million unique Social Security numbers and almost 3.1 million dates of births since early 2012.

The three companies shut down the breaches with 48 hours of Krebs notifying them. However, Krebs believes there may be other systems compromised at these data brokers.

Furthermore, while SSNDOB is currently shut down, it may relaunch. "They are probably in the process of seeing how they got hacked and making sure it doesn't happen again," Krebs said.


(Read more: CNBC's Special Report: Hacking America)

—By Jennifer Schlesinger, CNBC.

  Price   Change %Change
DNB
---

Featured

  • CNBC's senior correspondent and lead investigative reporter, Scott Cohn also appears on "NBC Nightly News with Brian Williams," the "Today" and on MSNBC.

  • Co-anchor of CNBC's "Squawk on the Street," David Faber also is a co-producer of CNBC's original documentaries.

  • Eamon Javers is a reporter based at CNBC's Washington, D.C. bureau, appearing on business day programming and contributes to CNBC.com.

Investigations Inc.: Cyber Espionage

  • When a person enters information on a website, like an email or credit card, it gets stored in that company’s data base. Those web-based forms are a simple tool for users, but they are also another way hackers can exploit a company’s system. Instead of inputting a name into the website, cyber spies can put in a specially crafted text that may cause the database to execute the code instead of simply storing it, Alperovitch said. The result is a “malicious takeover of the system,” he said.

    By attacking business computer networks, hackers are accessing company secrets and confidential strategies and creating huge losses for the overall economy.

  • China is working feverishly to counteract its slowest GDP growth in recent years, and one of the ways it’s doing so, say U.S. officials, is through the theft of American corporate secrets.

  • US businesses are enduring an unprecedented onslaught of cyber invasions from foreign governments, organized crime syndicates, and hacker collectives, all seeking to steal information and disrupt services, cybersecurity experts say.

Technology

  • Google headquarters in Mountain View, Calif.

    Why Google's modular phone beats Google Glass as the gadget to keep an eye out for.

  • Facebook's latest moves in mobile have shown how messaging is shifting from SMS texts to full-blown content sharing.

  • Is Google fiber coming to New York? CNBC's Jon Fortt and Peter Kafka, Re/Code senior editor, discuss the possible entrance of Google fiber into the New York marketplace and what hurdles the tech giant will have to clear.

Technology Explained