WASHINGTON — The pursuit of hackers who audaciously stole and published credit reports for Michelle Obama, the attorney general, the FBI director and other U.S. politicians and celebrities crisscrossed continents and included a San Francisco Internet company, Cloudflare, the Associated Press has learned.
The sensational crime caught the attention of Congress and President Barack Obama, who said, "We should not be surprised."
Credit reports of about two dozen people were published this week on a Russian website, including those of Republican presidential candidate Mitt Romney, Donald Trump and celebrities Britney Spears, Jay Z, Beyonce and Tiger Woods.
Perhaps in a show of defiance as the FBI, the Secret Service and the Los Angeles Police Department coordinated efforts to investigate the security breach, the website added late Wednesday what it said was the credit report of disgraced Pennsylvania football coach Jerry Sandusky.
If accurate, as widely suspected, the leaked records put each victim at significant risk of identity theft. Included in the reports are Social Security numbers, dates of birth and a list of previous home addresses. The records also include such personal information as the first lady's monthly payments on a student loan 10 years ago.
On Capitol Hill, the chairman of the House Judiciary Committee cited the breach Wednesday at a congressional hearing about the government's prosecution of hackers. Rep. Bob Goodlatte, R-Va., said the leaks of financial information were "just the beginning of the problem."
A spokesman for one of the largest U.S. credit bureaus, Tim Klein of Equifax, said an initial investigation showed that the hackers accessed the credit bureau's system by correctly entering personal details about their victims to impersonate them and generate the credit reports.
Representatives for Experian, Equifax and TransUnion all said they are cooperating with the criminal investigation being conducted by the FBI and the Secret Service.
In San Francisco, Cloudflare operates the directory computers, known as name servers, used behind the scenes to send visitors to the Russian website where the stolen credit reports were being published, according to Internet registration records.