London, November 22, 2004 -- An on-line database containing the career and contact details of over 22 million business people may have a flaw in its design, which puts those profiled at risk of identity fraud.
Eliyon's software continuously crawls the Internet and reads millions of websites, press releases, electronic news services, SEC filings and other online sources and then extracts information about business people, and the firms they have worked for, into a single searchable database. Clicking on a person's name displays a page containing that person's contact information, employment history, board memberships, educational background and other details.
The flaw, which allows any unsecured profile to be updated without suitable confirmation of the updaterâs identity, was discovered by Greg Grimer, the founder of Elicit Intelligence, a sales opportunity and business intelligence consultancy serving the financial technology sector, while he was using the database.
"I looked up a couple of my employees, who had many years of experience in banking and financial technology, and who I knew had been mentioned in press releases at their previous firms. When I pulled up each profile and saw an invitation to update it on my screen, it immediately occurred to me that Eliyon had no simple way of confirming I was who I said I was. I clicked on the update link, curious to see what evidence they required, and found I could edit the profile simply by providing an anonymous Hotmail address. Two minutes later Eliyon had sent me a confirmation e-mail, which I duly confirmed back to Eliyon from this address. Now one of them worked for Baringsâ 1994-1995, followed by a spell in Enronâs accounting department until 2001."
The concern is that if Eliyonâs 22 million profiles, which are assembled from read-only forms of web data, can be edited by anyone who claims to be their subject, then those profiled are a risk of fraudulent impersonation.
Greg Grimer continued, "Eliyonâs database has potential, but in my view they may have taken a shortcut on desirable identity procedures to avoid the costs and difficulties of positively identifying people, which financial sector people are only too aware of with KYC regulations and increasing identity fraud. In financial services, where trust and the integrity of personal data are of fundamental importance, I feel this is a risk that all senior people need to be made aware of, since most of them are profiled in this database and their profiles are editable until they act to secure them.
The advice is that you check this database, as soon as possible, and secure your profile with a username and password. If you are, or have been, publicly associated with a current or former employer on the Internet, then you are likely to have one or more profiles on this database.