You're probably familiar with the process of authenticating yourself on banking or credit-card websites using security questions. Where did you go to elementary school? Who was your maternal grandmother? Etc. Nothing wrong with that. Unless someone else knows the answers.
If your personal data was ever collected by some of the largest data aggregators in the country - LexisNexis, Dun & Bradstreet, and Kroll Background America - it might be in the hands of a hacker.
This unsettling incident hasn’t gotten as much attention as it deserves, but hackers apparently gained access to those companies' databases and may have purloined information to steal the people's identities.
Journalist Brian Krebs broke the story and published a report on his website. Krebs, a former Washington Post reporter, spent months digging into a now-defunct, criminally-run site called ssndob.ms (which stands for social security number and date of birth) that was selling the personal information of millions of Americans.
The story is complicated, but the key break apparently came when the hacker site got hacked and its database was sent to Krebs, who writes:
"The database shows that the site’s 1,300 customers have spent hundreds of thousands of dollars looking up SSNs, birthdays, drivers license records, and obtaining unauthorized credit and background reports on more than four million Americans."
Unfortunately, data hacks are all too common. What strikes me about this one is the vulnerability of data aggregators, companies that hold personal data you need to keep secret. Breaking into those databases is like getting the combination to a bank vault; it makes theft very easy.
For the record, LexisNexis told Krebs that it had "identified an intrusion targeting our data but to date has found no evidence that customer or consumer data were reached or retrieved." The other companies had even less to say.
You might not have heard of Kroll Background America. It’s a company that provides employment-background, drug and health screening services. Think about the kind of data "locked" inside its servers. Yikes!