The Equifax credit bureau confirmed Tuesday that criminals have stolen credit reports from AnnualCreditReport.com, the website designed to allow consumers free access to their own credit reports.
The theft suggests criminals have outfoxed AnnualCreditReport.com’s defenses, potentially giving them access to potentially 200 million Americans’ credit reports. According to the Consumer Financial Protection Bureau, 16 million consumers use AnnualCreditReport.com annually.
The nation's three largest credit bureaus -- Equifax, Experian and TransUnion -- were required by federal legislation passed in 2003 to offer consumers one free credit report every year. The three jointly operate AnnualCreditReport.com to fulfill that obligation.
Entertainment news website TMZ first reported Monday that highly detailed personal information on international celebrities and political figures – including Jay-Z, Beyonce, Attorney General Eric Holder and Hillary Clinton – had been published on a website, and that the FBI was investigating. The same website identified in that report published additional data on Tuesday, including details about first lady Michelle Obama and Vice President Joe Biden, leading to a flurry of interest in the source of the data. Later Tuesday, Equifax confirmed that some of the data associated with those identity thefts had been stolen from AnnualCreditReport.com.
"Equifax can confirm that fraudulent and unauthorized access to four consumer credit reports has occurred through the AnnualCreditReport.com channel, a free public service that allows all consumers to get annual access to their credit report," the company said in a statement. "Our initial investigation shows the perpetrators had the (personal information) of the individuals whose files were accessed and were therefore able to pass the required authentication measures in place. We have launched a full investigation into this matter and we are also working closely with law enforcement authorities on this matter."
The statement did not identify which credit reports had been accessed through the website or explain why more than four reports had been published on the website.
TransUnion and Experian also confirmed unauthorized persons had managed to access the credit report data.
"TransUnion’s systems were not hacked or compromised in any way," the firm said in a statement to CNBC. "The sophisticated perpetrators of these fraudulent activities had considerable amounts of information about the victims, including Social Security numbers and other sensitive, personal identifying information that enabled them to successfully impersonate the victims over the Internet in order to illegally and fraudulently access their credit reports. TransUnion is taking steps to assist the individuals affected to help minimize any potential impact. We are conducting our own internal investigation and working closely with law enforcement."
Experian also said its systems weren't hacked, adding that "this looks to be an isolated situation."
Consumers who attempt to obtain their credit reports from AnnualCreditReport.com must answer a series of authentication questions. Many of these are what's known as "out-of-wallet" questions -- questions that a criminal who had stolen a wallet couldn't answer -- such as, "which bank holds your mortgage" or "which of these former addresses are valid."
That means the criminals who stole the credit reports probably had access to a host of personal information about their targets, allowing them to successfully answer the authentication questions. Some of that data can be purchased from other online data brokers, culled from web pages or even determined through guesswork and the process of elimination.
The Federal Trade Commission regulated the creation of AnnualCreditReport.com and its security procedures.
FTC spokesman Jay Mayfield said the data theft serves as another reminder to consumers that they should protect their personal information, but said the agency still recommends that consumers visit AnnualCreditReport.com or call the credit bureaus to get a free copy of their credit report every year. He would not comment specifically about the theft of the celebrity credit reports, or about the security of AnnualCreditReport.com
Consumers who hear that AnnualCreditReport.com has been compromised might be dissuaded from using the site in the future, and perhaps paying another third-party firm for their credit reports. Doing so would not enhance their security, however. The data available at AnnualCreditReport.com could be accessed by criminals, even if the consumer never asks for it.
Issues with the authentication procedures at credit report websites have been raised in the past. Last year, security analyst Dan Clements of CloudEyez.com gave NBCNews.com a tour of websites that sell stolen credit reports. Several of the stolen credit reports viewed at the time indicated they'd been taken from AnnualCreditReport.com or other third-party websites that charge a fee for access to credit reports.
"I'm selling super prime credit reports and scores which include all three bureaus and other information," bragged one advertisement on a credit reports for-sale site.
Most of the websites were hosted in the .su domain, assigned to the former Soviet Union. The recently celebrity credit reports are also hosted on a .su web site.
In one how-to posted on a hacker bulletin board, a hacker describes one brute-force attack used to gain access to credit report websites. Most sites are protected by "challenge" questions such as, "Which bank holds the mortgage on your home?" But there's a critical flaw, the hacker said:
"Normally all ... of them will ask you the same question," the hacker wrote.
Because the sites use the multiple choice format, it's easy to use the process of elimination and determine the correct answers, he claims.
The hacker explained that the trick is to open several credit report sites and keep trying random answers until one set works.
The recipe is highly detailed, including helpful tips such as, "Take a shot of screen to remember what answers you gave. After that click the submit button and see what it says."
* Follow Bob Sullivan on Facebook.
* Follow Bob Sullivan on Twitter
More from Red Tape Chronicles: