Matthew Yglesias is on vacation.
Sen. Jay Rockefeller (D-W.Va.), who has a reputation for going after data brokers, has sent a letter to the CEO of Experian after learning that one of the credit bureau's recent acquisitions had sold Social Security numbers to identity thieves. The letter comes after an amazing investigation of a number of surreptitious sales among companies and countries.
KrebsOnSecurity conducted the investigation. Former Washington Post writer Brian Krebs and his readers were able to backtrack from “sourceid” metadata attached to consumer records being sold online. They tracked the data back to an American company, USInfoSearch.com, whose CEO in turn blamed a third company, Court Ventures, with whom they’d signed an information-sharing agreement. (Didn’t you know that everything is hunky-dory so long as you sign an information-sharing agreement?)
Court Ventures “aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.” Experian, one of the three major national credit bureaus, gets dragged in here because it bought Court Ventures about a year ago.
USInfoSearch.com’s CEO says that the people selling this extraordinarily sensitive information accessed Experian’s records after posing as a U.S.-based private investigator, but they are actually based in Vietnam. But even if these posers threw together their most convincing American outfit, Experian should have noticed that they were being paid with wire transfers from Singapore.
This could lead to a lot of pain for Experian. USInfoSearch.com found out about the leak only after contact from the U.S. Secret Service, which had obtained a grand jury subpoena against the company. In other words, there’s a possibility that Experian might be prosecuted. Acquisitions come with liabilities.
Rockefeller is now demanding answers from Donald Robert, Experian’s CEO. What seems particularly worrying to Rockefeller, as Natasha Singer reported at the New York Times, is “whether Experian as a company has appropriate practices in place for vetting its customers and sharing sensitive consumer data with them, regardless of the particular line of business.”
It’s hard to imagine how careful Experian could be—or at least how careful Court Ventures was—if Krebs' investigation is right and they sold troves of data to a "U.S. investigator" without noticing the payments were coming from Singapore.
The case also highlights an important and understated problem: No one can operate offline anymore. Debates about data brokers often center around Facebook, but having a Facebook account is still a voluntary activity. Experian is not a company from which you can opt out. Credit reports are not voluntary. The dangers of online information sharing are not only about individual decisions. As Rockefeller has suggested, they’re also hugely dependent on corporate practices that occur behind closed doors.
This is why data brokers can’t have nice things. Like our Social Security numbers.