/ Cory Doctorow / 10:29 pm Thu Jul 30, 2009

British fraud cop quits job, buys huge database of stolen identities, charges fees to people who want to know if their details are in the database

A former British fraud cop has assembled a database of 4,000,000 British identities, including credit card numbers and PINs, seemingly by buying data from hackers and phishers. Now he's selling access to the database to panicked members of the public who want to know if their identities have been stolen.
Highly sensitive financial information, including credit card details, bank account numbers, telephone numbers and even PINs are available to the highest bidder...

The information being traded on the web has been intercepted by a British company and collated into a single database for the first time. The Lucid Intelligence database contains the records of four million Britons, and 40 million people worldwide, mostly Americans. Security experts described the database as the largest of its kind in the world...

The database is held by Colin Holder, a retired senior Metropolitan police officer, who served on the fraud squad. He has collected the information over the past four years. His sources include law enforcement from around the world, such as British police and the FBI, anti-phishing and hacking campaigners and members of the public. Mr Holder said he had invested £160,000 in the venture so far. He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached.

Four million British identities are up for sale on the internet (via Making Light)

28

  1. Isn’t it illegal to be in possession of this data, especially given that a) he’s no longer a police officer but a civilian, b) it may violate EU privacy laws, c) much of it was stolen to begin with? And then to charge people to find out whether they’re in the database, that just sounds like extortion…or just business as usual for the credit bureaus.

  3. Never underestimate the capacity of one human being to profit from the suffering of another.

  4. My first instinct upon reading this was, “simply being in possession of data of that nature, let alone selling confirmations of its existence, can’t be legal.”

    But I’m having a tough time figuring out if that’s true or if it’s merely unethical to the extreme.

  7. I heard that the Information Commissioner’s Office will be investigating him. Certainly it would be against the Data Protection Act to hold that information.

    Also, under the Data Protection Act a data holder is required by law to disclose to a person any information they hold on that person, for which they are allowed to charge a nominal fee. The maximum they are allowed to charge is £10.

    http://www.ico.co.uk/

  10. Working hard to give bobbies a good name! This guy is such a spiv – a word I’m sure the boys in blue will understand.

    If this is accurate, then the importance to the public of this information should warrant its seizure by the government. Also, how could he ever legally assemble it?

    And surely, surely the data itself is illegal to possess! What about the data protection act!?

    I bet this fella has an expensive white cat sitting on his lap.

  11. #4 Jeffbell, thanks for that, that is stupid and brilliant, a combination that always does it for me!

  12. Aw, c’mon, what’s the big deal here?

    I mean, this is personal info about British folks, yes? Who doesn’t already have that?

    They hand out CDs of this stuff on the London Underground for free.

  13. @10 that’s very funny! Hoho – in the doctor’s waiting room, on the bus, pub beermats – wherever careless government employees have wandered.

    One thing I have enjoyed is outsourcing to India – and firms dealing with your data inform you that it’s going beyond the boundaries of the protective custody of EU law. And people think that’s ok.

    Come to think of it, it can’t really be all that hard to get that data, can it! It doesn’t even have to come from “shadowy” sources – just approach a hard up data centre manager.

  14. jeffbell @4:
    Thanks for the link! I checked the PINs there. Egad, mine there!

    Now, I’ll have to change it.

  15. “Mr Holder said he had invested £160,000 in the venture”… is this guy *buying* the data? If so then that’s surely just funding the problem; if not then, as he’s not working for the Met any more, how does he now have access to the data and Joe Public doesn’t?

  16. But as the bank provides a free new card and PIN as soon as you suspect a compromised card, why pay to know whether or not it actually has been stolen?

    Just renew your card…

  18. @jeffbell #4 Whoa! This is weird because my PIN number actually *isn’t* there. Srsly.

  20. How much is he going to charge? Would it be easier/cheaper/more annoying for one to just make a DPA request for all information he has about you?

    For the benefit of Americans: in the UK the Data Protection Act 1998 allows one to demand that a company provides you with copies of all information it has about you. The company can charge, but nor more than £10, and must react within a certain time limit (30 days I think?).

  21. You should be able to request the information he holds using a Data Privacy Act request. In fact the Times article suggests he has consulting with the Privacy Commissioner on how to do this

  22. Where I live we have laws prohibiting police men working as private detectives or in security for several years after leaving their job.

    This is exactly why.

  27. Jeffbell @6, is that a phishing site? Like, you tell people their PIN is there, then record their search strings as they check?

Comments are closed.