Most Americans have very little choice but to provide their personal information to credit bureaus. Hackers have found a way into that data supply chain, and are advertising access in group chats used by violent criminals who rob, assault, and shoot targets.
It took only a few seconds to uncover the target’s entire life.
On the messaging app Telegram, I entered a tiny amount of information about my target into the dark blue text box—their name and the state I believed they lived in—and pressed enter. A short while later, the bot spat out a file containing every address that person had ever lived at in the U.S., all the way back to their college dorm more than a decade earlier. The file included the names and birth years of their relatives. It listed the target’s mobile phone numbers and provider, as well as personal email addresses. Finally, the file contained information from their drivers’ license, including its unique identification number. All of that data cost $15 in Bitcoin. The bot sometimes offers the Social Security number too for $20.
This is the result of a secret weapon criminals are selling access to online that appears to tap into an especially powerful set of data: the target’s credit header. This is personal information that the credit bureaus Experian, Equifax, and TransUnion have on most adults in America via their credit cards. Through a complex web of agreements and purchases, that data trickles down from the credit bureaus to other companies who offer it to debt collectors, insurance companies, and law enforcement.
A 404 Media investigation has found that criminals have managed to tap into that data supply chain, in some cases by stealing former law enforcement officer’s identities, and are selling unfettered access to their criminal cohorts online. The tool 404 Media tested has also been used to gather information on high profile targets such as Elon Musk, Joe Rogan, and even President Joe Biden, seemingly without restriction. 404 Media verified that although not always sensitive, at least some of that data is accurate.
The communities where this tool is advertised include chat rooms focused on swatting, where criminals place bogus calls that result in a heavily armed police response to a specific location; SIM swapping, in which hackers take over a victim’s phone number to then receive login codes and break into their online accounts; and physical violence, where criminals hire one another to rob, shoot, or assault their enemies and vandalize the target’s home. Overall, the tool offers exceptional power and requires little to no technical sophistication to obtain a victim’s sensitive data. Worse yet, it is exceedingly difficult for a user to opt out, and this data may be available even for people who have otherwise been careful with distributing their personal information, and who have taken steps to have their details scrubbed from other data brokers.
Senator Ron Wyden told 404 Media in a statement that “These companies have demonstrated that they can’t control who has access to their data products. The government needs to stop these companies from packaging and selling our personal information, and the senior executives that put profit over national security and Americans’ safety should be punished accordingly.”
The Supply Chain
Eighty-two percent of American adults had a credit card in 2022, according to data from the Federal Reserve. Whenever someone applies for a credit card, their financial institution transfers personal details about the customer to the big three credit bureaus, Experian, Equifax, and TransUnion. This is in part so the bureaus can track a user’s credit score. In other words, the majority of the adult population, by the simple fact of how credit cards work, will have their personal information collected and stored by these bureaus.
The bureaus also play an important role in preventing fraud, by holding onto peoples’ most sensitive personal information and using that to verify their identities. But years ago the bureaus realized they had such a valuable resource of data, and diversified what they did with that information, John Gilmore, head of research at DeleteMe, a company that helps scrub peoples’ data from the internet, said.
The bureaus made some of the data provided by consumers—known as credit header information—available to other companies. The FTC defines credit header information as the portion of a consumer’s credit report that typically contains the person’s name, birth date, current and prior addresses, Social Security number, and telephone number. Essentially, it can include everything on a person’s credit report above the details on who they have borrowed money from—the top, or the header, of the document.
While credit reports themselves are limited to certain uses such as applications for credit under the Fair Credit Reporting Act (FCRA), credit bureaus and data brokers generally believe credit header falls under a different piece of legislation: the Gramm-Leach-Bliley Act (GLBA). This law gives the credit bureaus room to sell credit header information to third parties under a set of use cases that are much broader than the full credit report. Examples include to protect against fraud or the vague term “holding a legal or beneficial interest relating to the consumer.”
In February, a group of activist and legal organizations, including the Center on Privacy & Technology at Georgetown Law, the Electronic Privacy Information Center (EPIC) and Just Futures Law, wrote to the Consumer Financial Protection Bureau (CFPB) about this legislative iss
