Data enrichment records for 200 million people up for sale on the Darknet

More than just PII, the records contain additional financial information and spending habits.

Full data enrichment profiles for more than 200 million people have been placed up for sale on the Darknet. The person offering the files claims the data is from Experian, and is looking to get $600 for everything.

Details of this incident came to Salted Hash via the secure drop at Peerlyst, where someone uploaded details surrounding the sale and the data. The data was first vetted by the technical review board at Peerlyst, who confirmed its legitimacy. Once it was cleared by the technical team, a sample of the data was passed over to Salted Hash for additional verification and disclosure.

Calls to individuals in the sample data went to voicemail and were not returned. Should any of them confirm their information, we’ll update this story.

Salted Hash also reached out to Experian and one other firm, Acxiom, as sources have speculated the information that’s up for sale aligns with enrichment data made available by these companies.

Acxiom did not respond to questions. However, sources at Experian said that they were made aware of this data breach last week, and investigations determined that it wasn’t their data.

Instead, investigators believe the data on offer is a collection of records that’s being labeled as Experian’s in order to leverage the company’s name.

“We’ve seen this unfounded allegation and similar rumors before. We investigated it again – and see no signs that we’ve been compromised based on our research and the type of data involved. Based on our investigations and the lack of credible evidence, this is an unsubstantiated claim intended to inflate the value of the data that they are trying to sell – a common practice by hackers selling illegal data,” Experian said in an emailed statement.

So while Experian investigators state the data isn’t theirs, the fact that the data exists is still a problem.

The seller is taking things seriously too, limiting access to the data by refusing to deal with potential buyers who have newer accounts or those with only a few hundred dollars in previous transactions.

There are 203,419,083 people listed in 6GBs worth of records. The profiles include PII such as a person’s name, full address, date of birth, and phone number, but because it’s enrichment data - the records also include more than 80 personal attributes.

Among the additional attributes, profiles include a person’s credit rating (listed A-H); the number of active accredit lines; whether the person is a credit card user; if they own or rent their home; the type of home the person lives in; marital status; the number of children a person has; how many children are in the home; occupational details; education; net worth; and total household income.

In addition, some records indicate a person’s political donations, including fields denoting conservative donations, liberal donations, or general political causes.

Other fields list personal donations (i.e. veteran’s charities, local community charities, healthcare charities, international charities, animal charities, arts or culture charities, children’s charities); and financial investments (foreign and domestic, including personal investments, stocks and bonds, or real estate).

There are travel indicators too, including fields for people who travel internationally, and fields for those who visit casinos. Finally, the profiles indicate buying preferences, such as if a person is into home gardening, or has recently purchased auto parts.

Some of the information in the collected records was provided directly to the data broker by the individual at some point. But data brokers who offer data enrichment programs use a mix of opt-in details and sourced information. It’s legal for them to collect, store, and share this information, provided they comply with various data regulations.

What this means is that there is no solid way to track where the attribute data came from.


Commercially, while data brokers have learned to navigate the various data privacy laws, such as SB1386 and FCRA, now that this data is out there – it’s fair game and available for anyone to use. While some of this data might have previously required permission before it could be used, that’s no longer the case with this data set.

Salted Hash reached out to J. Tate, CISO of bits&digits, a counter and social intelligence agency with headquarters in Germany and Columbia, SC, about the data that’s currently up for grabs. He said sets such as this one have reached a level of social desensitization that is dangerous.

“Not placing the necessary importance on your digital identity and collected marketing insights is one of the worst habits one can have,” Tate said.

“The information collected in this trove, no matter which data-broker or marketing enrichment system it came from is now in the hands of people that you will never know. What uses they provide to both marketers and nefarious scam artist are endless. This is my biggest concern, the data sets that are popping up around the world are not secured as regulation mandates, are providing easy to access credentials and intelligence points to facilitate complex identity fraud, human trafficking and money laundering operations across the globe.”

As far as criminal elements go, the data contained in this database is an identity thief’s dream. Moreover, a list such as this allows a criminal to seek high-value targets in a given area based on net worth, travel habits, or supported cause.

Kidnapping is a certain possibility for anyone that has a household income of ‘S’( $250,000+) or a net worth of ‘I’ ($499,999+), especially if they travel overseas. But there is also the chance that someone could take the list and create identifications for those that are over the age of 70 and use them to smuggle people into, or out of, the country.

On a technical level, anyone within the data set that uses the collected data for knowledge-based authentication is exposed, but it’s also the case that this data can be used to gain access to such information indirectly.

Moreover, the data holds enough information to develop a sustained Phishing campaign, which could open the door to numerous other crimes.

“This data set alone (and there are many more) tells us who makes more than $100,000 a year in a given zip code and address; what allergies each member may have; how many home loans they have taken out in 15 years; how many pets; how often they shop; and about 80 other attributes. Until we start taking our data seriously, how can we expect the companies that barter and sell it to?” asked Tate, during a recent email conversation.

To comment on this story, head over to Facebook.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)