Brian Krebs has done some amazing investigative reporting over the years, but this story is an absolute bombshell.

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.

The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called “nbc.exe” was placed on the servers as far back as April 10, 2013,

Two other compromised systems were located inside the networks of Dun & Bradstreet,

The fifth server compromised as part of this botnet was located at Internet addresses assigned to Kroll Background America, Inc., a company that provides background, drug, and health screening for employers.

In my research for the Involuntary Case Studies in Data Breaches presentation I update every few years, I come across many dozens of breaches of credit check services, data brokers, and other information-gathering services. Go check it out yourself at the DataLossDB and search on Experian, LexisNexis, and so on.

What I didn’t know is how many institutions rely on this data for Knowledge Based Authentication, and that it has been broken since at least 2010, according to Avivah Litan of Gartner (who is great – rely enjoyed working with her). I am fascinated because although I always considered this data aggregation a privacy risk – now we see it also as a security risk.