Computer buffs using home terminals have broken into one of the largest confidential data files in the world, the TRW Information Services Division's computers holding credit histories of 90 million people.
The system was entered after so-called computer hackers got access to a secret password and a manual on the system's operation. The password leaked out more than a year ago, but TRW officials were not notified until two weeks ago.
TRW Information Services is a credit bureau that transmits over telephone lines such information as credit histories, employment records, bankruptcies, loan delinquencies and Social Security numbers. The service is used by more than 24,000 subscribers, including banks and department stores, and can be reached from more than 35,000 locations.
TRW officials said that although the break-in allowed home computer users to read confidential files, those users would not be able to change the files. Changes are submitted monthly on tape, and files are not altered through the on-line computer system.
TRW officials said the password and manual were obtained from a Sears, Roebuck store in Sacramento that subscribes to the system. Computer buffs eventually posted the code number on an "electronic bulletin board," which any home computer user with the right equipment can read by using a telephone. It is not known how many times people broke into the TRW system, but sources said that it has been common knowledge for months among many computer buffs that the TRW files could be entered easily and credit records read.
The breach was first reported by Newsday, which quoted unnamed computer hackers as saying the TRW system was entered not only to read credit records, but also to "expedite credit card fraud" by finding out whether a person whose credit card was stolen had a large credit limit.
TRW said the leaked password has been changed and that no other codes are believed to be available to hackers. The Newsday story, however, quoted sources who said that other codes that provide access to other TRW files are still circulating.
Referring to the amount of time it took TRW to learn about the problem, Jerome Saltzer, a specialist in computer systems and communications at the Massachusetts Institute of Technology, said, "That is a disturbing . . . fairly appalling amount of time for something like that to go undetected. If true, it suggests that the company doesn't regard this information as very important to protect . . . . They are not very concerned about protecting people's privacy." He said that relatively simple monitoring techniques should pick up that kind of security breach relatively early.
Company officials said it is possible that unauthorized access could have been obtained through a department store line or a similar line on which many requests for credit information are placed daily. On such a line, they said, a few extra requests might not be noticed.
Saltzer said that a system with 35,000 access points is difficult to police and that anyone running such a system without elaborate security precautions must assume that a few of the thousands of people who have access to it might sell the code or otherwise misuse the system.
Among the security measures TRW could have taken are requiring the user to be called back at a certain phone number before information is sent; changing secret codes more often, and installing devices on system telephones that trade recognition signals with the central computer before information is sent.
A recent American Bar Association study found that 27 percent of the 275 businesses and public agencies it polled had been victims of computer crime, suffering losses of half a billion dollars last year.
Donn B. Parker, a computer security expert at SRI International in Menlo Park, Calif., said a rough survey has counted about 1,400 computer crimes in the United States over the the past two decades. He said that many large companies have installed security systems, but that there is a trade-off between security and the cost and convenience of using a computer system--the more security used, the costlier and more inconvenient it becomes.
The TRW system uses two codes, a seven-digit code to identify the user and a shorter "secret password," sources said. The first code is less guarded and relatively easy to obtain, and the shorter, "secret" code, they said, is "far too easy" to crack.
If it cannot be shown that the TRW break-ins were used to commit fraud--if they were merely curiosity trips by computer hackers--then it would be unclear whether they were illegal, according to a company spokesman. The company has been among those seeking stronger legislation to fight computer crime.
About 25 states have computer crime legislation, but obtaining "unauthorized access" to confidential information is considered a crime in only a few.