It took only a few seconds to uncover the target’s entire life.
On the messaging app Telegram, I entered a tiny amount of information about my target into the dark blue text box—their name and the state I believed they lived in—and pressed enter. A short while later, the bot spat out a file containing every address that person had ever lived at in the U.S., all the way back to their college dorm more than a decade earlier. The file included the names and birth years of their relatives. It listed the target’s mobile phone numbers and provider, as well as personal email addresses. Finally, the file contained information from their drivers’ license, including its unique identification number. All of that data cost $15 in Bitcoin. The bot sometimes offers the Social Security number too for $20.
This is the result of a secret weapon criminals are selling access to online that appears to tap into an especially powerful set of data: the target’s credit header. This is personal information that the credit bureaus Experian, Equifax, and TransUnion have on most adults in America via their credit cards. Through a complex web of agreements and purchases, that data trickles down from the credit bureaus to other companies who offer it to debt collectors, insurance companies, and law enforcement.
A 404 Media investigation has found that criminals have managed to tap into that data supply chain, in some cases by stealing former law enforcement officer’s identities, and are selling unfettered access to their criminal cohorts online. The tool 404 Media tested has also been used to gather information on high profile targets such as Elon Musk, Joe Rogan, and even President Joe Biden, seemingly without restriction. 404 Media verified that although not always sensitive, at least some of that data is accurate.
The communities where this tool is advertised include chat rooms focused on swatting, where criminals place bogus calls that result in a heavily armed police response to a specific location; SIM swapping, in which hackers take over a victim’s phone number to then receive login codes and break into their online accounts; and physical violence, where criminals hire one another to rob, shoot, or assault their enemies and vandalize the target’s home. Overall, the tool offers exceptional power and requires little to no technical sophistication to obtain a victim’s sensitive data. Worse yet, it is exceedingly difficult for a user to opt out, and this data may be available even for people who have otherwise been careful with distributing their personal information, and who have taken steps to have their details scrubbed from other data brokers.
Senator Ron Wyden told 404 Media in a statement that “These companies have demonstrated that they can't control who has access to their data products. The government needs to stop these companies from packaging and selling our personal information, and the senior executives that put profit over national security and Americans' safety should be punished accordingly.”
The Supply Chain
Eighty-two percent of American adults had a credit card in 2022, according to data from the Federal Reserve. Whenever someone applies for a credit card, their financial institution transfers personal details about the customer to the big three credit bureaus, Experian, Equifax, and TransUnion. This is in part so the bureaus can track a user’s credit score. In other words, the majority of the adult population, by the simple fact of how credit cards work, will have their personal information collected and stored by these bureaus.
The bureaus also play an important role in preventing fraud, by holding onto peoples’ most sensitive personal information and using that to verify their identities. But years ago the bureaus realized they had such a valuable resource of data, and diversified what they did with that information, John Gilmore, head of research at DeleteMe, a company that helps scrub peoples’ data from the internet, said.
The bureaus made some of the data provided by consumers—known as credit header information—available to other companies. The FTC defines credit header information as the portion of a consumer’s credit report that typically contains the person’s name, birth date, current and prior addresses, Social Security number, and telephone number. Essentially, it can include everything on a person’s credit report above the details on who they have borrowed money from—the top, or the header, of the document.
While credit reports themselves are limited to certain uses such as applications for credit under the Fair Credit Reporting Act (FCRA), credit bureaus and data brokers generally believe credit header falls under a different piece of legislation: the Gramm-Leach-Bliley Act (GLBA). This law gives the credit bureaus room to sell credit header information to third parties under a set of use cases that are much broader than the full credit report. Examples include to protect against fraud or the vague term “holding a legal or beneficial interest relating to the consumer.”
In February, a group of activist and legal organizations, including the Center on Privacy & Technology at Georgetown Law, the Electronic Privacy Information Center (EPIC) and Just Futures Law, wrote to the Consumer Financial Protection Bureau (CFPB) about this legislative issue around credit header data.
That letter says that the bureaus’ position on credit header data comes from a particular reading of a 2011 report written by the FTC, which the bureaus interpret as meaning they don’t have to treat credit header data with the same protections as a full credit report. “This interpretation of the FTC report is erroneous,” the group of organizations wrote.
The third party companies that buy or receive the credit header information in turn often resell or provide access to it for a fee to private investigators, real estate investors, and other industries. One company called AlumniFinder, for example, sells GLBA data so educational institutions can “reach and engage lost alumni” according to its website. Immigration and Customs Enforcement has used similar data that flowed from utility companies to Equifax, which then was sold to data brokers. And in March, the FBI and National Counterintelligence and Security Center warned that foreign intelligence entities working for repressive regimes have sought access to private investigators in part to obtain personal information on targets in the U.S.
At some point in that trickle down of data, criminals have found a way in.
"TLO the bitch"
404 Media accessed around 10 Telegram groups where members discuss and advertise bots that offer personally identifiable data for sale. Prices fluctuate between around $15 and $40 depending on what type of data a customer wishes to buy, and as availability ebbs and flows. One person told a group that their tool finds anybody.
404 Media has seen criminals using the bots specifically for doxing people, meaning publishing their personal information online. In multiple instances, personal information with the same data types as the bot 404 Media used was uploaded to a website popular with cybercriminals and harassers to preserve dox on victims. Members have indicated in their chats and shared dox that they are targeting YouTubers and seemingly ordinary people, as well as the high profile celebrities and politicians.
Some of those bot-generated dox have been uploaded by users that deal specifically in physical violence. These include groups whose members offer services for a price such as shooting up a house, armed robberies, stabbings, and assault. The cybercrime underground has seen a dramatic rise in violence and harassment over the last few years, with innocent neighbors sometimes being swept up in online fights turned physical. In those violence-as-a-service groups, some members explicitly ask for or offer this type of data.
The exact data broker the criminals used to to obtain data appears to have changed over time. In January, I reported criminals were advertising access to a tool called TLOxp, owned by TransUnion. This direct relationship with TransUnion makes TLOxp an especially powerful tool. In one of the few well-documented cases of abuse of TLOxp, in 2018 Forbes covered how an amateur rap crew used TLOxp as part of a million dollar fraud spree.
More recent Telegram messages suggest the new wave of cybercriminal access to TLOxp was short-lived, before they moved onto other providers. But judging by the voluminous chatter mentioning it, TLOxp is the database that has caught the cultural zeitgeist of the criminal underground. Talk of TLOxp is now so common that people use it generally to mean a powerful lookup tool. They also use the name of the tool as a verb.
“I should TLO the bitch huh,” one message reads.
“Have fun tlo’ing me,” another reads.
“TLO her,” a third says.
TransUnion is aware of its brand recognition within the criminal underground. In a statement, TransUnion said that “At times, fraudsters will pull data from other sources and misrepresent it as TLOxp data.” The company added it deploys various safeguards and protections to ensure its data is only used as legally permitted, but acknowledged unauthorized parties do sometimes gain access.
“On the very rare occasion where we confirm misuse of TLOxp, we coordinate with law enforcement to help prosecute those responsible,” TransUnion added.
Beyond TLO, criminals have mentioned multiple different companies in the Telegram groups they claim to use: Data-Trac, SearchBug, and USinfoSearch among them.
Data-Trac told 404 Media that someone gained access to its tool by stealing the identity of a former law enforcement officer and private investigator in Florida. The criminal then opened an account with those credentials, which included a drivers’ license. Data-Trac said it is working with law enforcement on an active case concerning the incident.
Normally, data brokers verify who a private investigator customer is by performing an on-site visit to the customer’s office. They’ll verify the private investigator has a locked filing cabinet and shredder for properly handling records. Data-Trac, however, said at the time of the criminal gaining access, the company only performed “remote confirmation,” where the applicant is asked to provide various pieces of identity and security verification virtually rather than in-person.
Noah Wieder, CEO of SearchBug, confirmed his tool had been used to look up around half a dozen names 404 Media identified as being targets of criminals. Those included Elon Musk, Joe Rogan, President Biden, as well as some rappers and others who don’t appear to be celebrities. Spotify, which hosts Rogan’s podcast, did not respond to a request for comment. X, the site previously known as Twitter and which Musk owns, did not respond either. A spokesperson for the National Security Council declined to comment when asked about the tool being used against President Biden and instead directed the request to the CFPB.
Wieder said he didn’t know whether SearchBug’s own data provider gave it credit header data specifically, but said it was the responsibility of the data supplier to block requests for lookups on high profile individuals like celebrities and politicians.
In response to 404 Media’s findings, Wieder said SearchBug will now perform those blocks itself. The same day Wieder said SearchBug would introduce those limits, one bot seller said on Telegram their bot would now face restrictions; they later told their customers to not look up celebrities or public officials.
USinfoSearch, meanwhile, said its tool had not been used to lookup any of the names criminals targeted, but criminal chatter shows a high level of interest in the company. Scott Hostettler, general manager of USinfoSearch, told 404 Media in an email that “the security and protection of our licensed databases and information is at the very top of our priorities and our systems are monitored continuously.”
“We understand the importance of protecting sensitive information and upholding the trust of our users is our top priority. Any allegation that we have provided data to criminals is in direct opposition to our fundamental principles and the protective measures we have established and continually monitor to prevent any unauthorized disclosure,” he added.
Other companies mentioned by the criminals, including Microbilt and another called LocatePlus, did not respond to requests for comment. In 2019, I reported that Microbilt was part of a supply chain of location data from telecoms that ended up with bounty hunters being able to instantly pinpoint most phones inside the U.S.
Regardless, Julie Mao, co-founder and deputy director of Just Futures Law, which has campaigned against ICE’s use of similar data, said “it’s likely that at least some of this data (and wouldn’t be surprised if it’s almost all) is credit header info” after reviewing a sample of the data generated by the tested bot.
The Near Impossibility of Removal
In 404 Media’s own tests, while DeleteMe is a helpful tool at removing personal information from a myriad of people-search sites, at the time of writing it does not appear to cover the sites these criminals are using, nor does it prevent the tested Telegram bot from gaining access to information that is otherwise not easily available.
Gilmore from DeleteMe said that the company is constantly adding new services to track, and some are more responsive than others. That game of whack-a-mole presents another, more fundamental issue. Curtailing the spread of credit header information will persist until it is stopped at the source: the credit bureaus.
But for the ordinary consumer, it can be very difficult to get the credit bureaus to stop selling their data to third-parties, and perhaps impossible to have them delete it entirely, given their continued role in combating fraud.
“They will not remove you from their datasets, but they will not sell it in certain conditions,” Gilmore said. The bureaus make the process very onerous, Gilmore added. “They never purge the header data, because that is necessary for fraud checks.”
Of course, even if a person did manage to get the bureaus to stop distributing their data, if a third party has already obtained a copy, that data may still find its way out. And then it’s very difficult for someone to learn which of the avalanche of companies sold or provided their data to others as well.
Privacy and legal campaigners think the solution is plugging the flow of credit header data at the bureaus. “We really believe that the real, fundamental problem is that this information is being bought and sold to begin with,” Mao said. “When consumers can’t opt-out or organize to have an actual option to protect privacy, that’s precisely the role of government bodies.
“This is precisely why regulation is key,” she added.
“It should absolutely not be allowed,” Rob Shavell, CEO of DeleteMe said of credit bureaus feeding credit header data to wider industries. Of all the entities that are the root cause of this data, “the credit bureaus are number one,” Shavell added. “They are the ones that should be subject to the strictest compliance and ultimately be held to a higher privacy standard by the federal government and by state governments than they are being,” he said.
“The credit bureaus are number one.”
In March, the CFPB put out a request for information about data brokers, where organizations can write-in with their concerns about the trade of data. Last week, the CFPB announced it was proposing new rules that would change the regulation of credit header data. Under those proposals, brokers would not be able to sell such data for targeted advertising, training AI, or to perpetrators of domestic violence, according to an overview of the proposed rule provided by the CFPB. Brokers could still sell credit header data for other purposes like insurance and credit underwriting, and employment and government benefit applications.
On the face of it, those proposed rule changes may not curb the criminal access or abuse uncovered by 404 Media. When asked for the CFPB’s comment on criminals who carry out physical violence obtaining credit header data, the CFPB shared a quote from the agency’s director Rohit Chopra which again addressed artificial intelligence and not the kind of criminal abuse of the data reported by 404 Media.
“Reports about monetization of sensitive information—everything from the financial details of members of the U.S. military to lists of specific people experiencing dementia—are particularly worrisome when data is powering ‘artificial intelligence’ and other automated decision-making about our lives. The CFPB will be taking steps to ensure that modern-day data brokers in the surveillance industry know that they cannot engage in illegal collection and sharing of our data,” the statement said.
The CFPB’s announcement made no explicit mention of the sale of credit header data to private investigators, which is how criminals have managed to access such sensitive personal information. When pressed by 404 Media on whether the CFPB’s rule change would address this, the CFPB said it was in the early stages of the process, but that the sale of data to private investigators was a concern.
Mao said that if the CFPB does change the rules so credit header data is part of a consumer report, and therefore bound by the FCRA which regulates reports, “it would significantly restrict the sale of credit header data.” However, “it could be a strong regulation or it could be a very narrow regulation that still allows the sale of credit header data.” The “announcement essentially states that the agency intends to address the sale of the credit header data. While that's great news, we do not know the substance of what they will propose, though we hope it will really address the problem,” Mao said.
As part of its proposed rules, the CFPB is now asking small businesses to contact the agency and provide feedback. The entire process could still take a long time. Laura Rivera, policy counsel at Just Futures Law, believes the CFPB already has the power to combat the sale of credit header data. “We want the agency to act now, and not wait for a lengthy regulatory process to close the credit header data loophole,” she said.
Jordan Takeyama, senior public relations manager at Experian, said “we thoroughly vet all clients and partners, and contractually require them to maintain high levels of commitment to the responsible use and security of data and uphold laws.”
Equifax did not respond to multiple requests for comment.
“It is now clear that data brokers pose both a threat to U.S. national security and to Americans' safety and privacy,” Senator Wyden’s statement added. “These unaccountable companies have recklessly sold Americans' information to agents working for foreign governments and have enabled hackers to access and sell Americans' personal information to anyone with a credit card.”