Using AnnualCreditReport.com, a site setup by the three major credit reporting bureaus in the United States for consumers to obtain free annual copies of their credit reports, hackers were able to obtain credit reports and post sensitive information online belonging to some high-profile victims.
Credit report information for the Vice President, Hillary Clinton, U.S. Attorney General, the First Lady, Donald Trump and other well-known names were posted on a Russian website Exposed.su. The personal information obtained originated from credit reports from the three major credit bureaus, Equifax, Experian and TransUnion, although there is no evidence that their systems were hacked directly. A spokesman from Equifax stated that the credit reports were obtained through AnnualCreditReport.com, which is a joint effort of the three major credit bureaus and is managed by a third-party company.
In able for consumers to obtain their annual free credit reports from each of the credit bureaus, consumers are asked up to six questions related to their recent payment and credit history in a knowledge based assessment (KBA) or out-of-wallet check. Although this information is detailed and specific, some of it could be found through research online. The hackers likely had access to some of this information, possibly through public sources and possibly through previous data compromises, where they could obtain personally identifiable information of the victims. The hackers posted information for twenty victims, although a full credit report was not obtained for each, and it was confirmed that four victims had their personal data compromised through the AnnualCreditReport.com site.
The fact that hackers were able to obtain such information and pass KBAs to obtain credit reports underscores the importance of actually being able to authenticate and verify an identity. With the high availability of personally identifiable information online, be it through information voluntarily shared on social networks or information obtained illegally and later posted or sold online, fraudsters are finding ways to get around security questions and out-of-wallet checks.
For more information: