The top credit bureaus have admitted someone accessed prominent Americans’ private data by filling out bogus requests via a Web site used by millions of consumers to access free annual credit reports.
“We are aware of recent media reports pertaining to unauthorized access to files belonging to high-profile individuals,” Equifax spokesman Tim Klein told Bloomberg News in an e-mail. “Equifax can confirm that fraudulent and unauthorized access to four consumer credit reports has occurred.”
The news agency received similar responses from Experian and TransUnion as well.
The list of celebrities whose credit histories, Social Security numbers and other personal identifying information was said to be revealed on a mysterious Web site earlier this week included First Lady Michelle Obama, FBI Director Robert Mueller and Attorney General Eric Holder. And then there were already overexposed celebrities like Kim Kardashian, Ashton Kutcher, Britney Spears and Paris Hilton who are also said to be among the victims.
“We should not be surprised that if we’ve got hackers that want to dig in and have a lot of resources, that they can access this information,” President Barak Obama told ABC News. “Again, not sure how accurate but … you’ve got Web sites out there that tell people’s credit card info. That’s how sophisticated they are.”
The means of gaining access, however, appears to involve good old-fashioned spoofing. The culprits were able to glean enough personal information from other sources to access the online reports using AnnualCreditReport.com, a free service the government set up to help consumers monitor their own credit reports from the three major credit bureaus.
Equifax’s Klein told Reuters his company was taking steps to tighten the credentialing process but did not elaborate. In addition to name, date of birth, address and Social Security number, access to credit reports typically involve challenge questions whose answers could be gleaned from social networks or news outlets or data mining services – such as a former telephone number, address or high school.
Some news accounts initially questioned whether the sensitive information posted on the site was even true or just an elaborate hoax. But since then the credit bureaus have confirmed the impersonations and unauthorized access to actual celebrity details.