200 million Americans have had their sensitive data sold. Ouch. What makes this story worse is that the seller was Experian Co., a well-known and highly trusted credit reporting agency.
This story surfaced back in October of 2013 and seemed to have been shadowed over by the Target data breach story just one month later. However, the case with Experian has not gone unnoticed, especially by the victims of the data breach. As a result, new developments have been found in this story.
A Scary Story
Hieu Minh Ngo has specialized in stolen credit cards, personal information and sensitive data with sales dating back to 2007. It was not until 2013 when he was arrested, as a result of his involvement in this case. This came after he obtained access to a 200 million large database of Experian customer’s and their sensitive information.
The scary part is that he pretty much just walked in, handed over some money, and walked out with the private information of 200 million Americans. This wasn’t done by Experian on purpose though, Mr. Ngo had obtained the data through fraudulent means.
It started with Mr. Ngo impersonating a private investigator from Singapore to earn a customer position with Court Ventures Inc., which is a court records firm based in California. Experian purchased this company out in 2012 and its customers had the right to access their database full of American customer’s information.
CEO Unaware of Situation
In March of 2014, Experian Co. commented on the situation in a blog post and stated that they were not privileged to manage the compromised database. They claimed that it was under the direct control of U.S. Info Search, which is a company out of Ohio that was in a working relationship with Court Ventures Inc.
The CEO of U.S. Info Search, Marc Martin, was unaware that there was any fraudulent access of the database due to the complex arrangements and management in place. Further, Experian Co. has yet to provide this company with information on the affected individuals.
The results of Mr. Ngo’s illegal access have been daunting. His customers, in total, hit the compromised database with over three million queries. It is unknown to the government as to how many individuals have been affected thus far.
Customer’s Data Went Missing
Few things have been confirmed with this story. What is now known is that Court Ventures inadvertently sold personal data of a bare minimum of hundreds of thousands of Americans to an individual in Vietnam, which turned out to be Mr. Ngo. This data was then resold on fraudster-friendly websites that supported identity theft related sales, which include Findget.me and Superget.info
The main concern is that many more Americans have been affected by the data breach. This is likely due to the fact that Mr. Ngo had direct access to the personal information of 200 million Americans. In fact, the only likely way that this information is not in the hands of more of the wrong people is if Mr. Ngo only found buyers for the smaller amount of customer’s data.
However, recently it was revealed that the number of affected customers may be much higher than just a few hundred thousand. It was publicized in court hearings that a minimum of $1.9 million was spent amongst 1,300 different customers for data look-up services from Mr. Ngo over his six years of operation. This information included Social Security Numbers, current and previous addresses, dates of birth, and much more sensitive data.
A sentencing hearing will take place at a federal court in New Hampshire this June. Court records show that there is some compliance by Mr. Ngo, primarily on another hacking case that he is involved in.
The Attorneys General from both Connecticut and Illinois are making an investigation into the practices of Experian plc, probing the specifics of the data breach. This will hopefully expose a better idea on how many individuals are affected. One thing is for sure though, everyone in that database will need to assume that their information has been compromised.
There is expected to be a lot of scrutiny towards the practices of Experian, but at the end of the day they will likely not receive any legal blame for the data breach. After all, they had purchased the company holding the database just a year prior to the arrest of Mr. Ngo and they were most likely unaware of the illegal access made by him – however, what they do have against them is the fact that a single individual went unnoticed while querying the database millions of times.
There is no guarantee as to where this investigation will go and what will happen with the court hearings for Mr. Ngo, so this story is considered developing and will likely remain as such for a couple of years.