Collection Agency's Server Stolen; Had 700,000 Accounts On It

Indiana broke its own record for computer security breaches last month, when a server containing personal data on 700,000 people was stolen from the offices of Central Collection Bureau, a debt collection agency. The stolen data included names, personal billing information, last known addresses, and social security numbers of people who hold delinquent accounts with a variety of companies, including utilities and hospitals. The company said the server was behind “three locked doors” and “was protected by two passwords, but was not encrypted.”

A lot of the data is old and potentially of little value—one hospital says the accounts it passed to the agency were all at least three years old or older. On the other hand, a gas company said that because it only had last known addresses on the accounts it handed over, it actually had no way of contacting the victims to alert them to the theft.

The agency president told the IndyStar, “We’re obviously heartsick about this. We’ve been in business since 1972, and nothing like this has ever happened before.” Responses from companies who had passed their customers over to the agency, however, varied from taking it seriously to regretting any inconvenience. We suspect they’re not feeling too much concern for their non-paying clients.

“700,000 Hoosier IDs exposed after theft” [IndyStar] (Thanks to Deon!)
(Photo: Getty)


Edit Your Comment

  1. Greeeeeaaaat.

    Oh, wait – they had it behind three locked doors and two passwords. And on a Windows NT4 SP1 server. So, you know.

    We need personal privacy theft penalties. The existing criminal statutes do not adequately cover this kind of stuff – where our valuable “property” is trusted in the hands of a second party, and which changes hands without our knowledge.

    Why can’t I get a list of who has my SSN?

  2. magic8ball says:

    “The company said the server was … not encrypted.” [facepalm]

  3. FDCPAGuy says:

    Which company I wonder… now might be a good time to dispute some things jk

  4. parad0x360 says:

    What kind of stupid company has sensitive data like this stored on a computer and doesnt properly protect it?

    Oh Collections Agency. That explains it, those guys break laws left and right why would anyone expect them to store secure data?

  5. ivanthemute says:

    Wait, you stole a server full of names and info of folks who are in collections? What the hell are you going to do with it, be declined for credit cards in others names? (Yes, I know the risks, just trying to make a joke.)

  6. gqcarrick says:

    How the hell do you not have cameras on the room that has your servers in it? We have cameras all over our server room and you have to use a key and a numerical keypad to get into the room. Not only that, servers aren’t exactly light objects.

  7. Mookitty says:

    Just think, if they took the UPS unit, they won’t even have to reboot to get the info.

    And who cares about credit ratings? These should be pretty complete identities, ready to sell to illegals.

  8. unpolloloco says:

    How exactly does one physically steal a server? Looks as if the thief knew exactly what he was looking for, however.

  9. lesbiansayswhat says:

    ‘A lot of the data is old and potentially of little value-one hospital says the accounts it passed to the agency were all at least three years old or older.’

    How is that information of little value? As far as I know, most people don’t change their names or social security numbers after 3 years.

  10. midwestkel says:

    I dont even know what to say, that is just terible!

  11. CapitalC says:

    @ivanthemute: I was thinking the same thing… “You stole the data of people with NO MONEY. Way to go, Einsteeeeeen!”

  12. loueloui says:

    Alright. Couldn’t have happened to a nicer bunch. Debt collectors really are the bottom rung of society, right below tow truck drivers, but above pedophiles. Not because of what they do -people should pay their debts- but because of the sleazy way they go about it.

    I love the lame attempt to put a happy face on it ,’A lot of the data is old and potentially of little value’. Right. Let me know when my social security number expires so that I can get a new one.

  13. hejustlaughs says:


    Visit [] and you’ll get your answer.

  14. captainleah says:

    i still dont pay hospital bills, and don’t give a damn about my fico score

  15. deb35802 says:

    I think its time that companies (voluntarily if not mandatory) follows similiar guidelines that the goverment uses for handling confidential and classified information. Of course I realize that not everyone is intelligent or has has enough common sense to understand and use those types of procedures.

    And as much as I don’t want Congress to get involved in identity theft I do think that companies that don’t secure this info should be made to pay multi million dollar penalites. (Maybe THAT would force them to institute severe security measures).

  16. Astos says:

    I can’t see the credit card details of people on a collecting agencies database being very useful :)

    Astos Green lasers rulz

  17. ok, a fucking SERVER was stolen?
    i understand if they don’t care about the data on the server (it should be backed up elsewhere) but how do oyu allow someone access to your server room, then let them walk out with one of your servers??

  18. mac-phisto says:

    no, no, no. you guys have it all wrong. this is not identity theft. this is a radical new approach to collections that we’re testing. we call it p2p skip tracing.

  19. doctor_cos wants you to remain calm says:

    Isn’t this the fault of the people who ended up in collections in the first place?
    If you paid your bills, they wouldn’t have your info!!

    Seriously, my ‘sensitive’ data on my own computer is encrypted (with the password “Kal-El” :)

  20. Myotheralt says:

    @ivanthemute: hey, they can only improve my credit. :/

  21. Mykro says:

    Don’t you mean ” “?

    Side note: I’m from Indiana. This actually sucks.. They probably have my info.. If they steal my ID, that just means theres more of me to go around :D

    Everyone bashing us people in collections can kiss my arse. I had a bad accident (dominant hand was Bush’d up baaad) and I was out of work, so I’ve got over 10k in hospital bills, plus a cellphone bill that I couldn’t pay at the time. That was 2 years ago now, and I’m working on paying those bills off, but I was told by an attorny they’ll still have my information on file afterwards for so long… Thats so awesome…

  22. sleze69 says:

    Crap. So what am I supposed to do now? They were one of the collections agencies that have been trying to get me to pay a bogus verizon account since 2001.

    I guess I need to freeze all my account information with the big 3. Do I get to send the bill to them?

  23. BugMeNot2 says:

    Who needs hacking or exploits when you can just walk out with not a duplicate or backup disk but that ACTUAL server…

    Yahhh.. Keystone cops securty ftw!

  24. unclescrooge says:

    I would like someone to explain to me why we don’t have more laws protecting consumers from the credit bureaus.

    It seems to me that no one has a right to make a profit off of me and the work and effort I have put into my life but me.

    Am I just whacked in the head or am I normal for thinking that?

  25. eric4ok says:

    I do like the statement that the “data is old and of little value.” If it’s of little value why was the collection agency keeping it. It’s obviously of value to them and probably many others – just for the SSNs themselves.

  26. mac-phisto says:

    @unclescrooge: ^^ whacked in the head.


  27. legotech says:

    This would be a good place to tell people how to freeze their credit reports?

  28. unklegwar says:

    Yay! Good thing I pay my bills on time!

  29. AstroPig7 says:

    So they had it behind three locked doors. Unless the locking mechanisms or the doors themselves were weak, this smells like an inside job. All the more reason to encrypt sensitive data.</SPECULATION>

  30. SacraBos says:

    @gqcarrick: There are lots of places that have sensitive information that isn’t encrypted on a SERVER. For instance, SSN is often a table key for a person, and it’s often clear-text in the database. And a “server” doesn’t have to be that big. I have a Terabyte server that’s the size of a desktop. Emphasis is generally to encrypt off-site or information physically leaving the data center.

    It seems it was reasonably physically secured, which for a server is generally sufficient. I agree with AstroPig7, for someone even to break through three doors (and know a rich target is there) to get at the thing, this smells to me of an inside job.

  31. SacraBos says:

    @loueloui: “Couldn’t happen to a nicer bunch…” – The problem I have with your statement is the actual victims are the people who’s information is now available to criminals. The collection company will have the hardware replaced by insurance and data restored from backup. Inconvenience for a few days. The people who’s information was on the server will have to watch their credit reports for years to come.

  32. TheKel says:

    What I find infuriating about this is that some of these credit agencies collect on bills that have already been settled. How many times on the Consumerist do we see stories of people being harassed by collection agencies for debts that no longer exist? When I bought my house a few years back, the mortgage broker was telling us that with regard to medical billing, unless the dollar amount on the credit record is through the roof (thousands, etc) they ignore it – it’s that well known that the credit agencies aren’t always on the up and up.

    So there are some people in that database who probably aren’t deadbeats, and never have been.

  33. Blue says:

    Stolen my ass…………id like to see the police report.

  34. dweebster says:

    @lesbiansayswhat: I change my Social Security number weekly, that way I never have these stupid problems.

    Oh yeah… I don’t do that because I can’t. The damn thing isn’t supposed to be used for anything except as a retirement account number. Collection bureaus, schools, States (DL number), Health Insurance companies, EVEN CELL PHONE COMPANIES etc. all use it as a damn mandatory “identifier” that you can’t change. If mine’s ever breached, I’m listing Sprint, Transunion, Experion, state of Illinois, and others as likely suspects in the theft. Biometric data, if they ever get THAT scam passed, will only be worse – whaddya going to do when THAT data is compromised – change your fingerprints or irises?

  35. lesbiansayswhat says:

    @dweebster: You know the next step..Mitochondrial DNA samples.

  36. fencepost says:

    I’ve been in many small offices (5-30 employees) where the server is sitting under someone’s desk; in others it may be in a closet but it’s generally not locked. Most of these are in one industry, but it doesn’t seem to be the line of business that matters, it’s the size of the business.

    I strongly suspect that this company is in that small-business category, and until companies get a bit bigger they generally don’t have the money or space for a dedicated server closet – particularly if they only have one or two servers. In a lot of cases, the closest thing to real security they have is that they’re running dedicated systems on SCO Unix and nothing else out there likes working with SCO’s funky partitioning system.

  37. Mr. Gunn says:

    No encryption is a error of gross negligence. They should have to pay for credit monitoring for everyone on the server. I’m willing to bet they’ll underrepresent the number by the amount of people they’re trying to collect under $10 from, so now might be a good time for a dispute if you’ve got a record with these people.