200 million-record breach: Why collecting too much data raises risk

A large direct marketing list now circulating on the grey market reveals highly sensitive data on 200 million U.S. citizens. Was it really necessary to collect it all?

Networking cables viewed through a magnifying lens reveal a data breach.
AndreyPopov / Getty Images

If you don't collect it, no one can steal it.

Sometimes the best way to secure customer data is not to collect it in the first place. While it can be tempting to "collect it all" just in case, most enterprises need far less data on their users to market to them effectively. Reducing the amount of data collected means that in the inevitable event of a breach, the repercussions will be far less severe.

"One of the things we're hearing from consumer brands is that they're doing less," Gerry Murray, director of marketing and sales technology research at IDC, says. "They're becoming more thoughtful about 'what do we want to know about you?'"

"For most commercial purposes you don't need to know that many things about a person, and sometimes you're better off not knowing," he adds.

The apparent breach of a 200 million-record direct marketing list that appears to originate from a 2015 opt-in list puts the issue into focus.

What we know about the breached data

The breached records, which contain 42 fields, including address, phone, marital status, income, financial net worth, race, gender and religion, appear to have been originally collected by Experian (although Experian denies this) and licensed to thousands of direct marketers around the world, meaning the breach could have happened at any one of them and not necessarily at Experian.

The files do not contain social security numbers, driver license or passport numbers, or credit card numbers and are thus not as sensitive as other breaches, such as the United States Office of Personnel Management (OPM) breach that exposed detailed personnel files of US government employees. Taken in aggregate, however, the information paints a profile of American society at large and could be joined to other breached data by criminals or nation-state adversaries.

This kind of direct marketing data ages rapidly, and a list like this that might have fetched hundreds of thousands of dollars in license fees in 2015 is today worth almost nothing to legitimate direct marketers, sources familiar with the industry tell CSO.

The files all contain the word Experian in their name, and the fields match a direct marketing list advertised by a third party, Data Monster. (That list has since been removed from the Data Monster site.) Experian told CSO the data was not theirs, writing in an email, "We’ve investigated and this is not Experian’s data." Data Monster also denied being the source of the breach, pointing out that such lists are licensed to thousands of call centers, and the breach could have originated from any one of them. 

Last week an unknown actor circulated a link on Ghostbin pointing to files shared on mega.nz containing 27.8 million records, including ten states. The erstwhile motive was to offer a large free sample to possible buyers. CSO was able to confirm that data belonging to select employees at IDG Communications, CSO's publisher, was genuine. The links to the files on mega.nz have since been taken down.

This is not the first time news of this purported data breach has popped up, but it is the first time actual data has been reported. In late 2016, hacker DoubleFlag offered a similar-sounding database for sale, but no data was released at that time. CSO reached out to DoubleFlag on two different email accounts but did not receive a reply.

Experian suffered a confirmed data breach in 2015 of 15 million people, but that breach appears unrelated to the data currently circulating, as it contained social security numbers as well as driver's license and passport numbers.

The metadata of the data dictionary spreadsheet included with the leaked data includes a couple of tantalizing clues to its origin, including a 2009 creation date, an author named "Albert Kohl," and a last edit by "Joe." Metadata can be easily faked, however.

Chalk up yet another data breach

Former Experian CISO for marketing and government services Jasun Tate, now chief intelligence and solutions officer at Bits & Digits, tells CSO that the hacker DoubleFlag is likely a nation-state cutout dropping dox so criminals will use the data and thus cover DoubleFlag's tracks. "All these leaks...are part of a larger campaign from a mature and well-organized institution that has been collecting information on United States citizens for some time," Tate tells CSO. "[They are] learning how we consume, think and are influenced to conduct more surgical campaigns against our institutions leveraging the big data that we throw around so flagrantly." 

porup breach J.M. Porup

The fields shown in the CSV files of the exposed direct marketing list

Even though Experian has denied that the data is theirs, we don't know for sure whether Experian or a third party was asleep at the wheel when this data got loose. It almost doesn't matter. The market has failed to select for strong cybersecurity controls, and the breaches will continue until regulation — and credit bureau security — improves.

Until then, consider being proactive in reducing your enterprise's data collection footprint. The easiest way to protect your employer from data exfil is to avoid having the data in the first place. In a post-GDPR, post-Cambridge Analytica world, smart brands will find a way to get on the good side of consumers and regulators.

"Brands are now looking at how to differentiate themselves around the data relationship they have with their customers," Murray says. "How they treat their customer data is how they treat their customers."

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!