A 33-year-old Californian admitted illegally obtaining personal data on thousands of individuals and then using the information to obtain credit cards or otherwise conduct identity theft. In a plea agreement filed on July 17, 2006 with the U.S. District Court for Central District of California, Bryan Dill pleaded guilty to aggravated identity theft and other fraud related crimes. Sentencing is scheduled for September 25th.

In the plea, Dill admitted he accessed the Merlin database service claiming to be a private investigator. Dill used the database to obtain personal  information belonging to other people and used it to obtain credit cards on their behalf. Records suggest that Dill conducted at least 1,873 queries through the Merlin system to obtain information on approximately 5,875 people.  [DoJ press release.]

Merlin Information Services is a database of public and credit report records which allows [mostly] anybody to open an account by filling a form, pay a fee, and search records which may contain SSNs, DOB, among other interesting pieces of information.

What is troublesome in this case is the apparent lack of control on who can access the database and the potentially unlimited reach of information that can be obtained. It sort of becomes like a Russian roulette - we know that our records are in these databases, and we know that eventually they will be compromised, either technologically or socially, and then it is just a matter of luck whether our information will be extracted or not.