A third party has scraped contents of TLO, a massive database of personal information used by private investigators and law enforcement, and then posted the information elsewhere on the internet, including peoples’ physical addresses, phone numbers, email addresses, and the contact details of their relatives.
The finding shows the risk of databases like TLO that contain hundreds of millions of sensitive data points. Once someone has access to TLO, they may copy that information, distribute it, and otherwise use it however they see fit. In this case, the data was scraped and then posted online where it could theoretically be discovered by others. In this case, access to the scrape was password protected, but the password was easily discoverable.
Jelle Ursem, an independent security researcher, first alerted Motherboard to the scraped TLO data. The website appears to be connected to a real estate firm. The company did not respond to a request for comment.
Do you know anything else about data selling or scraping like this? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
On its website TransUnion says clients can use its TLO database for fraud mitigation, determining business risk, insurance claims management, and more.
“Find likely locations, telephones, assets, liens, bankruptcies, fraud history and much more,” TLO’s website reads.
The real estate firm’s website of scraped data includes thousands of PDFs of results from searches on TLO concerning specific people.
Igor Ostrovskiy, a New York based private investigator with Ostro Intelligence, previously told Motherboard that TLO’s data contains “very powerful information that can help professionals with fraud investigations. Or can help criminals commit fraud as well as a variety of other crimes.”
“Data security is TransUnion’s top priority. To ensure that TLOxp information is used only as permitted and appropriate, we deploy comprehensive safeguards, including rigorous credentialing of all users, strict access controls, and ongoing monitoring,” David Blumberg, senior director of public relations at TransUnion, told Motherboard in an emailed statement. Consumer credit reporting giant TransUnion runs TLO.
“We also utilize tools to proactively scan for references to TLOxp on the web to uncover any potential misuse of data. In those cases, fraudsters often pull data from other sources and misrepresent it as TLOxp data. In the rare case we determine that one of our customers has misused TLOxp data, we immediately terminate access and coordinate with law enforcement to help prosecute those criminals,” Blumberg added.
In December, Senator Ron Wyden urged the Consumer Financial Protection Bureau (CFPB) to stop credit agencies from selling Americans data.
“These data brokers are serving as shady middlemen to sell this personal information without any legal protections,” Wyden wrote to CFPB Director Rohit Chopra in the letter. “CFPB must rein in the sale of Americans’ data by credit agencies for non-credit related purposes.”