According to CSO Online, someone is offering for sale what they claim is a 6GB file of “data enrichment” information pertaining to over 200 million people. The information in this file is truly disturbing – it provides over 80 attributes for over 200 million Americans, including:
…a person’s credit rating (listed A-H); the number of active credit lines; whether the person is a credit card user; if they own or rent their home; the type of home the person lives in; marital status; the number of children a person has; how many children are in the home; occupational details; education; net worth; and total household income.
In addition, some records indicate a person’s political donations, including fields denoting conservative donations, liberal donations, or general political causes.
Other fields list personal donations (i.e. veteran’s charities, local community charities, healthcare charities, international charities, animal charities, arts or culture charities, children’s charities); and financial investments (foreign and domestic, including personal investments, stocks and bonds, or real estate).
There are travel indicators too, including fields for people who travel internationally, and fields for those who visit casinos. Finally, the profiles indicate buying preferences, such as if a person is into home gardening, or has recently purchased auto parts.
The price for this treasure trove? US$600.
With this information in hand, cyber attackers could craft extremely realistic phishing attacks targeted with laser precision. They could choose victims to concentrate their effects on for maximum profit. Real world attackers could also use this information to plan crimes such as burglaries or kidnappings. Governments (both foreign and domestic) could use this information to select targets for surveillance.
The source of this information is not yet clear, but of it is genuine, it most probably came from a private company aggregating it for marketing use. If companies are to be allowed to capture and collate this kind of data, they must be held to strict standards when it comes to data protection. If this data is real, whoever let it fall into unauthorized hands should be subject to some serious legal and civil action.
This story does not seem to have made it to the mainstream media as of yet – I am hoping that this is because they are working to validate whether the data is in fact real. If this turns out to be a real story, I think we have the winner for the biggest non political hack of 2016.