{"id":484393,"date":"2022-01-25T19:40:00","date_gmt":"2022-01-25T19:40:00","guid":{"rendered":"https:\/\/www.propublica.org\/article\/identity-theft-surged-during-the-pandemic-heres-where-a-lot-of-the-stolen-data-came-from#1246909"},"modified":"2022-01-25T19:40:00","modified_gmt":"2022-01-25T19:40:00","slug":"despite-decades-of-hacking-attacks-companies-leave-vast-amounts-of-sensitive-data-unprotected","status":"publish","type":"post","link":"https:\/\/radiofree.asia\/2022\/01\/25\/despite-decades-of-hacking-attacks-companies-leave-vast-amounts-of-sensitive-data-unprotected\/","title":{"rendered":"Despite Decades of Hacking Attacks, Companies Leave Vast Amounts of Sensitive Data Unprotected"},"content":{"rendered":"\n

\n by Cezary Podkul<\/a> <\/p>\n ] \n\n \n \n

ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories<\/a> as soon as they\u2019re published.<\/p>\n\n \n\n \n\n \n\n\n\n \n

Consider some of the episodes last year in which large quantities of personal data were stolen: 300 million customer and device records<\/a> for users of a service that\u2019s supposed to shield internet traffic from prying eyes; a 17.6-million-row database from a second<\/a> organization<\/a>, containing profiles of people who participated in its market research surveys; 59 million email addresses and other personal data lifted from a third company<\/a>. These sorts of numbers barely raise an eyebrow these days; none of the incidents generated major press coverage.<\/p>\n \n \n \n

Cybertheft conjures images of high-tech missions, with sophisticated hackers penetrating multiple layers of security systems to steal corporate data. But these breaches were far from \u201cOcean\u2019s Eleven\u201d-style operations. They were the equivalent of grabbing jewels from the seat of an unlocked car parked in a high-crime neighborhood.<\/p>\n \n \n \n\n\n

Never miss the most important reporting from ProPublica\u2019s newsroom. Subscribe to the Big Story newsletter.<\/a><\/p>\n\n \n \n \n \n

In each case, the companies left the data exposed online with little or no security. So says Pompompurin<\/a>, a pseudonymous hacker who posted the millions of stolen records cited above on RaidForums, a discussion board popular with cybercriminals seeking personal data. Pompompurin told ProPublica that he often doesn\u2019t need to do much hacking to get his hands on sensitive personal data. Many times, it\u2019s left in cloud storage folders available to anyone with internet access. Pompompurin said he scans the web for such unguarded material and then leaks it on RaidForums \u201cbecause I can and it\u2019s fun.\u201d<\/p>\n \n \n \n \n \n

The exposed data extends far beyond what can be found on RaidForums, ranging from the prosaic and useless to the ultravaluable. In recent years, it has included everything from names, emails and chat transcripts of users of a sex cam website<\/a> to America\u2019s secret terrorist watch list<\/a> to a virtual hard drive from the federal government with sections classified as \u201ctop secret<\/a>.\u201d<\/p>\n \n \n \n

Such incidents helped make 2021 a record year for data breaches<\/a>, according to the Identity Theft Resource Center. Data exposure events, in which sensitive data is left sitting online, were responsible for cybersecurity incidents involving an estimated 164 million of the 294 million people victimized in 2021, according to the center.<\/p>\n \n \n \n

For years, companies have been vowing to harden their electronic defenses as cybersecurity<\/a> firms<\/a> repeatedly warned<\/a> them about<\/a> the pitfalls of this<\/a> form<\/a> of<\/a> laxity<\/a>. But to little avail. \u201cIt keeps happening because people commonly forget or they just think it\u2019s private when it isn\u2019t,\u201d Pompompurin told ProPublica.<\/p>\n \n \n \n

There\u2019s another reason, one that companies don\u2019t like to talk about: It\u2019s often cheaper to clean up a breach than it is to avoid one in the first place. Corporate losses from a data breach typically run around $200,000, according to a recent study<\/a> of 56,000 cybersecurity incidents published by the Cyentia Institute, a cybersecurity research firm.<\/p>\n \n \n \n

The low costs don\u2019t justify investing more in data security, according to Sasha Romanosky, a researcher at the RAND Corporation who has studied the issue<\/a>. \u201cThe companies don\u2019t bear the cost of these actions,\u201d Romanosky said. \u201cIt is borne by the consumers.\u201d<\/p>\n \n \n \n

The tab for taxpayers is mammoth. Identity theft enabled what may turn out to be the biggest fraud wave<\/a> in U.S. history, siphoning off tens if not hundreds of billions of dollars of unemployment insurance payments<\/a>, small business loans<\/a> and grants<\/a>. For unemployment insurance systems alone, estimates of the loss have ranged from around $90 billion<\/a> to $250 billion or more<\/a>.\u00a0Whatever the ultimate figure, it will fall on the shoulders of taxpayers.<\/p>\n \n \n \n \n \n

Meanwhile, vast quantities of data remain undefended. About 8 billion files are exposed across cloud storage folders on the internet, according to Grayhat Warfare<\/a>, a service that monitors open cloud storage folders and lets users search their contents. And a total of at least 7.2 million databases are exposed<\/a> online, according to an internet scan performed for ProPublica by Censys<\/a>, a search engine that catalogs internet-connected devices and services, ranging from database servers to computers managing drive-thru restaurants to surveillance cameras.<\/p>\n \n \n \n

The result is that gathering personal data on individuals is easier today than it was a decade ago, said Ng\u00f4 Minh Hi\u1ebfu, a reformed hacker who once ran an online store offering up personal data on about 200 million Americans. Stores like the one he once ran have proliferated online in recent years. \u201cThe information, it just sits there waiting for you to get it,\u201d Hi\u1ebfu said.<\/p>\n \n \n \n

Hi\u1ebfu is now a so-called white hat hacker, seeking to identify black hats, like Pompompurin, and help companies guard against vulnerabilities they may exploit. But when it comes to exposed data in the U.S., the black hats are winning.<\/p>\n \n \n \n\n<\/p>\n \n \n \n

Americans rarely get a glimpse of hackers, much less what their work entails. They might be surprised to learn how little experience is needed. People often think hackers are highly sophisticated, Troy Hunt, creator of data breach tracking website Have I Been Pwned<\/a>, told ProPublica. But in reality, there\u2019s so much unsecured data online that most of the 11.7 billion email addresses and usernames in Hunt\u2019s collection come from young adults who watch a few instructional videos and figure out how to grab them for malicious purposes. \u201cIt\u2019s coming from kids with internet access and the ability to run a Google search and watch YouTube videos,\u201d Hunt said in a 2019 talk<\/a> about how hackers gain access to data.<\/p>\n \n \n \n

Hi\u1ebfu was once one of those teenagers. He grew up in a Vietnamese fishing town where his parents ran an electronics store. His dad got him a computer at age 12 and, like many adolescents, Hi\u1ebfu was hooked.<\/p>\n \n \n \n

His online pursuits quickly took a wrong turn. First, he started stealing dial-up account logins so he could surf the web for free. Then he learned how to deface websites and abscond with data left exposed on them. In high school, he joined forces with a friend who helped him pilfer credit card data from online stores and make up to $500 a day reselling it.<\/p>\n \n \n \n

Eventually fellow hackers told him the real money was in aggregating and reselling Americans\u2019 identities. Unlike credit cards, which banks can cancel instantly, stolen identities can be reused for various fraudulent purposes.<\/p>\n \n \n \n

Beginning around 2010, Hi\u1ebfu went looking for ways to get detailed profiles of Americans. It didn\u2019t take long to find a source: MicroBilt, a Georgia-based consumer credit reporting firm, had a vulnerability on its website that allowed Hi\u1ebfu to identify and take over user accounts. Hi\u1ebfu said he used the credentials to start querying MicroBuilt\u2019s database. He sold access to the search results on his online data store, called Superget.info.<\/p>\n \n \n \n

MicroBilt spotted the vulnerability and kicked Hi\u1ebfu out, setting off a monthslong standoff during which, Hi\u1ebfu said, he exploited several vulnerabilities in the company\u2019s systems to keep his store going. MicroBilt did not respond to requests seeking comment.<\/p>\n \n \n \n

Tired of the back and forth, Hi\u1ebfu went looking for another source. He found his way into a company called Court Ventures, which resold aggregated personally identifiable information<\/a> on Americans. Hi\u1ebfu used forged documents to pretend he was a private investigator from Singapore with a legitimate use for the data. He called himself Jason Low and provided a fake Yahoo email address. Soon, he was in.<\/p>\n \n \n \n\n \n \n\n \n \n \n\n Ng\u00f4 Minh Hi\u1ebfu in Ho Chi Minh City\n \n (Yen Duong, special to ProPublica)\n \n \n \n\n \n\n \n \n \n

Hi\u1ebfu\u2019s fake account turned Superget.info into a go-to destination for cybercriminals, what U.S. prosecutors later described as the Amazon of stolen identities. In essence, Hi\u1ebfu was a wholesaler, dealing search results for particular details like driver\u2019s licenses or Social Security Numbers or packages of identity information. He offered individual and bulk search plans and allowed cybercriminals to resell the data in their countries via reseller arrangements. One of his biggest resellers was a Russian going by the alias \u201cDevil.\u201d Other customers were located in the U.S., Ukraine, Brazil, Romania, Vietnam, Ghana and Nigeria, according to Matt O\u2019Neill, a senior special agent at the U.S. Secret Service, which began investigating Hi\u1ebfu in 2011. By distributing the data so widely, Hi\u1ebfu \u201ccaused more material financial harm to more Americans than any cyber fraudster,\u201d O\u2019Neill said.<\/p>\n \n \n \n

By the time he was 22, Hi\u1ebfu estimated, he was earning $100,000 to $150,000 a month in a country where the average person earns less than $200 per month<\/a>. He splurged on luxury cars, like a customized Hyundai, a BMW and a Lexus, and got himself a $10,000 cellphone. He treated his family to vacations at high-end resorts and helped his parents repay some debts. When they asked how he was making his money, recalled his sister Ng\u00f4 Nora, he\u2019d say he was creating websites.<\/p>\n \n \n \n

Hi\u1ebfu\u2019s empire began to unravel when the Secret Service alerted Court Ventures\u2019 parent company, Experian, to his activities, and the firm cut off his data access. (Experian has said<\/a> it didn\u2019t know about Hi\u1ebfu\u2019s fake account with Court Ventures when it bought the company in 2012. A spokesperson said the company is \u201cdeeply committed to helping consumers protect their data from today\u2019s increasingly sophisticated cyber criminals.\u201d)<\/p>\n \n \n \n

Addicted to his opulent lifestyle, Hi\u1ebfu went looking for another data source. O\u2019Neill, the Secret Service agent, saw an opening: He convinced a cooperating defendant in another case to message Hi\u1ebfu and offer him the promise of an even better data source than Experian \u2014 but only if he\u2019d meet with another contact in the U.S. territory of Guam to strike a deal.<\/p>\n \n \n \n

Hi\u1ebfu resisted the entreaties at first, O\u2019Neill recalled in an interview. But in February 2013 Hi\u1ebfu gave in and hopped on a flight to Guam. Soon after he landed, finally putting him within reach of U.S. law, the Secret Service arrested him.<\/p>\n \n \n \n\n<\/p>\n \n \n \n

Facing up to 45 years behind bars, Hi\u1ebfu agreed to cooperate and pleaded guilty to multiple counts of fraud. He let O\u2019Neill use his email and online persona to talk to his customers. O\u2019Neill said he spent two years asking them why they were seeking to buy people\u2019s personal information. Most said they wanted the data so they could file fake tax returns in other people\u2019s names and obtain the refunds. The Internal Revenue Service estimated that nearly 14,000 victims had fraudulent tax returns filed in their names claiming a total of $65 million in refunds using data from Hi\u1ebfu\u2019s store. Evidence gathered by O\u2019Neill helped in the prosecution of about two dozen of the perpetrators.<\/p>\n \n \n \n

Hi\u1ebfu said he had never wondered why his customers wanted data. \u201cIt\u2019s just numbers, information,\u201d he told himself when he ran his website. It was only after he was sentenced<\/a> to 13 years in prison in July 2015, he said, that he realized the harm he had caused.<\/p>\n \n \n \n

Hi\u1ebfu was shuffled among local and federal prisons in New Hampshire, Ohio, Louisiana, New Jersey, New York, Mississippi and Texas as he cooperated with authorities in various cases against his former clients. The low-security prisons gave him an opportunity to keep in touch with the outside world and to rehabilitate himself, which he\u2019d vowed to do.<\/p>\n \n \n \n

Hi\u1ebfu completed anger management and life skills classes, according to court records, and attended group counseling sessions during his stay at a county jail in Dover, New Hampshire. He started reading the Bible. His counselor at the Dover jail, Minnett Induisi, said Hi\u1ebfu took responsibility for his actions. \u201cIn all my years of working at the jail, I have never seen someone so committed to making himself a better person,\u201d said Induisi, who has taught at the jail for 41 years.<\/p>\n \n \n \n

In 2016, Hi\u1ebfu wrote a long email to the assistant U.S. attorney who had prosecuted his case. It detailed his acts, including the MicroBilt and Experian hacks, along with his theft of 100,000 credit card details from a U.K. retailer and personal data from U.S. and Canadian payday lenders. He wrote that he found his targets by running a service that scanned the internet 24 hours a day to find vulnerabilities in websites that he could use to steal data.<\/p>\n \n \n \n

Hi\u1ebfu said he wrote the email because he no longer had anything to hide. He dreamed of returning online not as a cybercriminal but as a researcher who would help catch cybercriminals. To maintain his skills and keep up with cybersecurity news, he used tablets in prison libraries, read books and wrote a digital security guide for the average person. He called it \u201cOnline Security Tips From a Former Hacker\u201d and vowed to publish it when he left prison.<\/p>\n \n \n \n\n<\/p>\n \n \n \n

The need for white hats, Hi\u1ebfu could see, was exploding. Hacking itself was as old as computer networks, but the rise of cloud computing had multiplied the opportunities exponentially. Governments and businesses around the world had embraced the cloud, migrating ever more data and software from their own computers to remote servers accessed via the internet. The move revolutionized e-commerce, making it easier and faster to store data, share files, stream videos, develop apps, collaborate and create new software and technology of all sorts. The trend, well under way in the first decade of the century, only accelerated in the 2010s.<\/p>\n \n \n \n

The speed of the migration had a downside. In their rush to embrace cloud computing, businesses and governments often forgot to secure the data they were moving into the cloud. Often, the failure to change a single setting on a database server or a storage folder on a cloud service meant the difference between keeping it private or exposing it to the world.<\/p>\n \n \n \n

Anyone looking to find unprotected data could fire up a specialized search engine and start sifting through the internet like a prospector searching for gold. In mid-2015, Chris Vickery, an IT help desk technician at a Texas law firm, started using one such search engine called Shodan<\/a> to identify devices and services connected to the internet. Within months, he discovered a trove<\/a> of customer data<\/a> belonging to MacKeeper, a popular antivirus tool for Mac users. \u201cI have downloaded over 13 million accounts\u2019 details from a publicly accessible and completely exposed database,\u201d he wrote in a Dec. 14, 2015 email alerting MacKeeper to the vulnerability<\/a>.<\/p>\n \n \n \n

Volodymyr Diachenko was on the receiving end of that alert, which prompted a swift response from MacKeeper<\/a>. At the time, he was a PR manager for the company, based in Ukraine. Vickery\u2019s discovery prompted Diachenko to team up with Vickery<\/a> and start hunting for similar vulnerabilities. \u201cIt was so alarming and disturbing that I wanted to learn more about how it happened and to start alarming other companies about how much they have exposed,\u201d Diachenko said in an interview. Diachenko and Vickery found massive quantities of untended data, including passport data<\/a> and Social Security Numbers<\/a>, scattered across the web.<\/p>\n \n \n \n

Black hats took notice, too. In 2015, an individual calling himself Omnipotent<\/a> launched RaidForums, an online message board where hackers could advertise leaked databases and store them for easy retrieval. The website became the destination of choice for black hats looking to share data or auction off their finds to the highest bidder, aggregating billions of leaked records across thousands of data dumps.<\/p>\n \n \n \n

A person who responded to messages directed to Omnipotent told ProPublica that he founded RaidForums because he believes in freedom of information: \u201cAnd what I mean specifically is that if a hacker is in the dark web selling a database with your information you should yourself be aware of it and able to access that data for free through my services or similar.\u201d Omnipotent acknowledged that individuals with malicious motives may access the data as well, \u201cbut that\u2019s no reason to just stop making data free.\u201d<\/p>\n \n \n \n

Similar sites increasingly abound. WeLeakInfo<\/a> offered personal information obtained in over 10,000 data breaches containing some 12 billion searchable records until it was shut down by authorities <\/a>in 2020.\u00a0Analysts for cyber threat intelligence firm Flashpoint have noticed about 100 websites offering up stolen identities over the past year. ProPublica spotted similar services operating on the messaging app Telegram, which abruptly shut some of them after our inquiry.<\/p>\n \n \n \n

The proliferation of such sites is crucial to the techniques used by cybercriminals. They often combine pieces of stolen information from various sites to build profiles of targets for exploitation. It\u2019s why hackers often build huge collections of leaked databases and \u201ctrade them like Pokemon cards,\u201d said Allison Nixon, chief research officer at cybersecurity investigation firm Unit 221B.<\/p>\n \n \n \n

What has become an ongoing war between white hats and black hats necessitates vigilance and swift action. When Diachenko intentionally left a database exposed in 2020 to see how long it would take for it to get noticed and accessed, the first intrusion came just 8 hours and 35 minutes after it went live, followed by 174 more over 12 days. The experiment<\/a> ended when an attacker deleted the database contents and left a ransom note demanding a Bitcoin payment to avoid having the data posted online.<\/p>\n \n \n \n

Often it\u2019s not clear if companies take any action in response to warnings from white hats. On Oct. 8, Diachenko discovered the collection of 300<\/a> million customer and device records<\/a> for users of several virtual private networks, which help internet users shield their web traffic. He alerted<\/a> the company that owned the services, ActMobile Networks<\/a>, but did not get any response for nearly three weeks. (ActMobile didn\u2019t reply to ProPublica\u2019s inquiries.) Eventually, ActMobile denied having any databases and threatened to \u201ctake action\u201d<\/a> against Diachenko if he wrote about his discovery. By then, black hats had noticed the data as well. On Nov. 1, the records made their debut on RaidForums<\/a>.<\/p>\n \n \n \n\n<\/p>\n \n \n \n

That data was posted by Pompompurin, who joined RaidForums in October 2020 and quickly became one of its most active members. Pompompurin, whose alias was borrowed from a Japanese cartoon dog<\/a>, told ProPublica that he has leaked around 20 databases online and has more than 100 \u201con my pc just chilling.\u201d<\/p>\n \n \n \n

Collecting and sharing data isn\u2019t just a pastime for him. It\u2019s also a commercial enterprise at times. After another hacker obtained customer data<\/a> from the stock-trading app Robinhood in November, Pompompurin helped sell the material, posting an ad on RaidForums seeking bids for the spoils. \u201cNo lowball offers,\u201d the advertisement read. \u201cThis is highly profitable if in the right hands.\u201d He confirmed that he sold it, but wouldn\u2019t say for how much.<\/p>\n \n \n \n

The ease with which companies\u2019 data can be harvested led Pompompurin to write a blog post praising ransomware<\/a>. The post argues that the high cost of ransom might finally prompt companies to take data security seriously.<\/p>\n \n \n \n

Pompompurin appears to be a sort of nondenominational hacker, targeting not only lax companies, but even other cybercriminals. For example, he figured out a way to get a copy of the credit card details for customers of WeLeakInfo. He dumped those online<\/a> too.<\/p>\n \n \n \n

Pompompurin is happy to discuss his activities and his philosophy, but not his identity. (Pompompurin was willing to confirm that his preferred personal pronoun is \u201che.\u201d) Still, some clues about his potential identity may be starting to appear as he spars online \u2014 black hat vs. white hat \u2014 with a cybercrime investigator named Vinny Troia, who has been researching his activities and recently purported to unmask him.<\/p>\n \n \n \n

In November, Troia published a blog post tracing the Pompompurin alias<\/a> to a cybersecurity professional in Calgary, Alberta, named Chris Meunier. Meunier started hacking around the age of 14, according to Troia<\/a>, cycling through various online aliases as he collaborated with a childhood friend on data heists conducted by a fearsome hacking group known as the Dark Overlord. (A website for a Calgary-based company<\/a> called WhitePacket lists its proprietor as Meunier. He did not respond to emails seeking comment and could not be reached by phone.)<\/p>\n \n \n \n

Pompompurin denied that he\u2019s Meunier in a message exchange with ProPublica and in a Nov. 16 blog post<\/a> on his website. Pompompurin describes himself on his site as a \u201cthreat actor, website administrator and proud Canadian.<\/a>\u201d He has retaliated against Troia, including by commandeering an FBI email alert system<\/a> and using it to send out fake emails about him. Pompompurin told ProPublica he did that \u201cbecause it was fun.\u201d<\/p>\n \n \n \n

Pompompurin\u2019s public jousts with Troia reveal the hacker\u2019s thinking. In April, when Pompompurin published a post on RaidForums unveiling the trove of 59 million email addresses and other information on tens of millions of Americans, he also posted a screenshot of a chat with Troia<\/a> about whether to make the data available. Troia urged him not to do so.<\/p>\n \n \n \n

\u201cWhat would you gain by leaking it,\u201d Troia asked.<\/p>\n\n

\u201cNothing,\u201d Pompompurin responded.<\/p>\n\n

\u201cThen why do itb,\u201d Troia asked.<\/p>\n\n

\u201cBecause I wanna,\u201d he answered.<\/p>\n\n

\u201cJust to expose more peoples info,\u201d Troia responded.<\/p>\n\n

\u201cYes,\u201d Pompompurin said.<\/p>\n\n\n<\/p>\n \n \n \n\n \n \n\n \n \n \n\n Photos of Hi\u1ebfu before and during his time in prison. He was 23 when he was arrested.\n \n (Yen Duong, special to ProPublica)\n \n \n \n\n \n\n \n \n \n

White hats gained a new recruit when Hi\u1ebfu returned to Vietnam in August 2020 after seven and a half years in prison, about six years earlier than expected thanks to his cooperation and good behavior.<\/p>\n \n \n \n

Hi\u1ebfu was shocked when he realized how much he\u2019d missed while in prison. His sister Nora had gotten married and had a child. His ex-girlfriend, who broke up with him while he was in prison, was in a new relationship and about to marry someone else.<\/p>\n \n \n \n

Once Hi\u1ebfu adjusted to his new life in Ho Chi Minh City, he published his online security guide<\/a> and went looking for a job. The Vietnamese government hired him<\/a> as a researcher at its National Cyber Security Center, where his job involves monitoring RaidForums and similar platforms for black hats who seek to exploit Vietnamese targets. \u201cI love it because I chase those people who I was before,\u201d he said. Hi\u1ebfu hasn\u2019t crossed paths with Pompompurin, but said he saw a bit of his younger self in the hacker: \u201cI just feel like I was that kind of guy back in the day.\u201d<\/p>\n \n \n \n

When Hi\u1ebfu comes across hackers whose activities may be of interest to U.S. law enforcement, he sends tips to O\u2019Neill, the Secret Service agent who helped put him in prison. O\u2019Neill confirmed that Hi\u1ebfu has provided the agency \u201ccredible and actionable\u201d intel.<\/p>\n \n \n \n

One thing immediately became clear to Hi\u1ebfu after he started his current job: \u201cIt\u2019s a lot easier and a lot faster to do cybercrime nowadays,\u201d he said. When Hi\u1ebfu was running his stolen-data store a decade ago, he often dealt with his customers via email, which exposed him to wire fraud charges<\/a> tied to the U.S.-based email service he used. Nowadays, cybercriminals can just set up their own channels on Dubai-based Telegram and instantly advertise their services or stolen data to customers all around the world. When they find buyers, they can strike deals via encrypted chat messages, which are difficult for law enforcement to access, especially for those sent via services based outside of the U.S.<\/p>\n \n \n \n

\u201cWe can\u2019t get the chats,\u201d said Jason Kane, special agent in charge of the Secret Service\u2019s Criminal Investigative Division. \u201cIt\u2019s not like the old days of a wiretap where you tap someone\u2019s phone under a legal process and you were able to hear the bad actors talk about the bad activity.\u201d<\/p>\n \n \n \n\n \n \n\n \n \n \n\n A December advertisement for a chatbot offering to sell personal data, posted by @TomsShop in a Telegram channel called FullzShopDL. Telegram deleted the channel and its chatbots after ProPublica inquired about them.\n \n (Screenshot from Telegram)\n \n \n \n\n \n\n \n \n \n

Hi\u1ebfu showed ProPublica some of the services that thrive in this ecosystem. They include fully automated Telegram chatbots that spit out Americans\u2019 identities on demand. One of these, known as the Hornet Lookup Bot<\/a>, offered instant access to Social Security numbers for $10 each and driver\u2019s licenses for $40. A Russian chatbot offered a similar service for the U.S., the United Kingdom and Canada. Yet another chatbot purported to be able to open bank accounts in any state using a stolen identity, according to touts from a Telegram user named @TomsShop in a channel called FullzShopDL. Most of the payments in such venues now occur in Bitcoin, which is hard to trace.<\/p>\n \n \n \n

Telegram shut down the Hornet Lookup Bot, the Russian chatbot and @TomsShop\u2019s sales channels after ProPublica asked about the services, but the company did not answer questions about why it allowed them to operate in the first place. (Rep. James Clyburn, D-S.C.<\/a>, recently posed similar questions in a letter<\/a> to Telegram founder Pavel Durov that cited ProPublica\u2019s July report<\/a> about how cybercriminals were using the messaging platform to help each other file fake unemployment insurance claims. In September, Durov posted a message<\/a> in his Telegram channel saying that \u201cTelegram gives its users more freedom than any other app. If Telegram has to temporarily remove some content due to a law, it means that other platforms would have removed it long before us.\u201d A spokesperson for Clyburn said Telegram has \u201crefused to engage\u201d with Clyburn\u2019s committee.)<\/p>\n \n \n \n

Not surprisingly, stores that sell stolen data quickly pop back up after they\u2019re shut down. Cybercriminals often simply recycle their old usernames with a new digit or an extra letter at the end, and they\u2019re back in business. The Hornet Lookup Bot is back in service on Telegram, now calling itself a \u201csearch\u201d bot, and @TomsShop resurfaced under the handle @TomsShopz.<\/p>\n \n \n \n

There\u2019s no shortage of data leaks to help restock such services. When black hats steal data, posts quickly pop up on Telegram and RaidForums offering access to the information. After T-Mobile suffered a serious breach of its servers in July, an ad popped up on RaidForums offering 30 million Social Security and driver\u2019s license numbers that were purportedly harvested from the heist. \u201cFreshly dumped and NEVER sold before!\u201d the August post<\/a> enthused. (A spokesperson for T-Mobile, which has suffered<\/a> at least<\/a> five<\/a> data breaches<\/a> since 2018<\/a>, said the company is creating a cyber transformation office that will create a \u201csecurity-forward mindset.\u201d)<\/p>\n \n \n \n\n \n \n\n \n \n \n\n Personal data posted in a Telegram channel with the message \u201cFree one!\u201d as an enticement to new customers\n \n (Screenshot from Telegram)\n \n \n \n\n \n\n \n \n \n

Once stolen data is no longer fresh, like many products, its price gets marked down, or it\u2019s offered as a free enticement to attract new customers. One Telegram channel spit out random Americans\u2019 Social Security numbers, addresses, driver\u2019s licenses, dates of birth and names along with the message \u201cfree one!\u201d mixed in between ads for full packages of identity information for $3 each. \u201cIt\u2019s very easy to obtain data that belongs to U.S. people,\u201d Hi\u1ebfu said.<\/p>\n \n \n \n\n<\/p>\n \n \n \n

In November 2020, drivers in Texas got an unpleasant surprise when a software company called Vertafore, whose clients include auto insurers, revealed that it had left 28 million Texas driver\u2019s license numbers sitting unsecured online. Three weeks later the company discovered that one of its products had been leaving reports containing names, addresses, birth dates and driver\u2019s license numbers publicly accessible for about eight years, according to a notice<\/a> filed in another state.<\/p>\n \n \n \n

Fourteen months later, no federal or state agency has taken any public action in response, though the state of Texas has said<\/a> it is investigating the breach. Vertafore did not reply to emails seeking comment. (At the time of the driver\u2019s license leak the company said<\/a> it \u201ctakes data privacy and security very seriously.\u201d)<\/p>\n \n \n \n

The U.S. doesn\u2019t have comprehensive federal laws governing data security. So the burden has fallen to states. About half<\/a> have enacted laws requiring companies to implement and maintain security procedures to prevent unauthorized access to personal information.<\/p>\n \n \n \n

Companies occasionally face regulatory penalties for leaving data exposed online, but they don\u2019t amount to much. In 194 instances cataloged by insurance data provider Advisen, most of them after 2008, companies have paid fines and penalties for leaving data unprotected, totaling about $71.6 million. That\u2019s an average of about $369,000 per incident involving a fine or penalty.<\/p>\n \n \n \n

All 50 states have enacted laws requiring notifications<\/a> in case of data breaches. But consumers are often still left in the dark about whether they\u2019ve been affected. Most states let the organizations that lost control of the data decide whether they need to issue a notification. When they do, a press release is often enough to satisfy state laws.<\/p>\n \n \n \n

\u201cIt should be pretty clear by now that breach notification has failed to actually inspire effective data security protections across the board,\u201d said Harley Geiger<\/a>, head of public policy at Rapid7, a Boston-based cybersecurity firm. Geiger said a national baseline standard is needed to prompt businesses to implement appropriate data security protections.<\/p>\n \n \n \n

The European Union has been operating under such a standard since May 2018<\/a>. Known as the General Data Protection Regulation, the law requires companies to implement security measures to protect sensitive personal data and to promptly notify regulators and affected consumers when it gets compromised. Violations of the data protection rules can result in fines<\/a> as high as 4%<\/a> of a business\u2019s annual worldwide sales. \u201cYou have to implement cybersecurity measures if you process personal data, and if you do not, you will have a legal problem,\u201d said Stefan Hessel<\/a>, a cybersecurity specialist in Germany at the Reuschlaw law firm.<\/p>\n \n \n \n

Such measures may in fact make it harder for hackers to ply their trade, if Pompompurin\u2019s postings are any indication. In August he was asked on RaidForums why large collections of personal data always seem to come from the U.S. He responded: \u201cBecause its the easiest to get, other countries have load of protection laws & shit, in the US your address is basically public information no matter how hard you try not to be put on lists like this.\u201d<\/p>\n \n \n \n

The Federal Trade Commission has been asking Congress to bolster its legal authority<\/a> for more than a decade by enacting legislation that would set nationwide standards for data protection and breach notification. Sen. Maria Cantwell, D-Wash.<\/a>, and Sen. Roger Wicker, R-Miss.<\/a>, have each<\/a> introduced bills<\/a> that would require companies to implement and maintain reasonable data security practices to protect sensitive data and enable the FTC to more easily fine companies that suffer data breaches because of their own negligence. The two Senators are talking about combining their bills, according to a Senate committee staffer.<\/p>\n \n \n \n

Pompompurin doesn\u2019t seem concerned. In June, he organized 155 leaked databases into a neat index for RaidForums users. It included some of his greatest hits, and he invited others to submit their favorites. As he put it, \u201cThere\u2019s a LOT of good dumps on here that should get more recognition.\u201d<\/p>\n \n \n \n

His effort was met with adoration. \u201cThanks for your hard work,\u201d one RaidForums user responded, \u201cwe will get more data.\u201d<\/p>\n \n \n \n\n

\n Do You Have a Tip for ProPublica? Help Us Do Journalism.<\/a><\/strong>\n <\/p>\n\n \n \n

This post was originally published on Articles and Investigations - ProPublica<\/a>. <\/p>","protected":false},"excerpt":{"rendered":"

by Cezary Podkul
\n ] <\/p>\n

ProPublica is a nonprofit newsroom that…<\/p>\n","protected":false},"author":7149,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[369],"tags":[],"_links":{"self":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts\/484393"}],"collection":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/users\/7149"}],"replies":[{"embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/comments?post=484393"}],"version-history":[{"count":5,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts\/484393\/revisions"}],"predecessor-version":[{"id":487985,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts\/484393\/revisions\/487985"}],"wp:attachment":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/media?parent=484393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/categories?post=484393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/tags?post=484393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}