Attacks/Breaches
3/11/2014
12:55 PM
Connect Directly
RSS
E-Mail
100%
0%

Experian ID Theft Exposed 200M Consumer Records

ID theft ring sold access to database with 200 million consumers' private data to 1,300 criminals.

A Vietnamese identity theft ring allowed criminals to conduct searches on an Experian-owned database containing information on 200 million consumers.

That information was revealed in a March 3 federal court hearing in which Hieu Minh Ngo pleaded guilty to running a business from his home in Vietnam that provided access to US consumers' personally identifiable information (PII), security journalist Brian Krebs first reported.

According to the Justice Department, Ngo sold "fulls," referring to bundles of PII that can be used to commit bank fraud, credit card fraud, and to file fraudulent income tax return requests. The fulls were advertised via a number of underground cybercrime sites, including Superget.info.

Just how big was the data breach involving the Experian database? US attorney Arnold H. Huftalen told the court that Ngo had allowed 1,300 criminals to "make more than 3 million queries of U.S. citizens' PII" over an 18-month period, according to a transcript of the hearing.

But the defendant couldn't confirm the number of records that may have been accessed, his lawyer, Michael J. Connolly, told the court. "Ngo was not aware of the number of queries that were conducted by his clients," he said. "He doesn't dispute the number. He just simply did not have that knowledge." In other words, well more than 3.1 million consumers may have been affected.

[Snowden says encryption is defense against the dark arts. See what else he said: Snowden: I'd Do It Again.]

Huftalen told the court that information obtained by Ngo's criminal clients included "individuals' names, addresses, Social Security numbers, dates of birth, places of work, duration of work, dates of employment, state driver's license numbers, mother's maiden names, bank account numbers, bank routing numbers, email account names and addresses, and other account passwords." He also said that while an exact count of the consumers whose PII was accessed by criminals wasn't yet available, "that information will be available in the near future."

According to the Justice Department, Ngo's clients made 45,000 deposits -- totaling more than $1.9 million -- to a Liberty Reserve account he controlled. Liberty Reserve, a Costa Rica-based digital currency company, was shut down in May 2013 by the Justice Department, which described it as the "bank of choice for the criminal underworld" and accused its administrators of enabling clients to launder $6 billion in ill-gotten gains.

During last week's hearing, Ngo pleaded guilty to one count each of wire fraud, identity theft, and access-device fraud, and faces a maximum prison term of 45 years. He's due to be sentenced on June 16.

Ngo, who was first arrested in February 2013 in Guam, still faces computer hacking charges filed in New Jersey federal court. According to last week's court transcript, he's also assisting with another criminal prosecution that was filed in New York federal court.

According to the Justice Department, Ngo posed as a Singapore-based private investigator to get access to Court Ventures, which billed itself as a firm that "aggregates, repackages, and distributes public record data, obtained from over 1,400 state and county sources," and which served as a reseller for data provided by US Info Search. Court Ventures was purchased in March 2012 by Experian, which is one of the country's three biggest data brokers. But Experian failed to spot Ngo's inappropriate data access, which continued for another nine months, until the US Secret Service alerted the company.

When news of the breach perpetrated by Ngo first surfaced in October 2013, Experian argued that "no Experian database was accessed" by the criminals, saying the information had come from US Info Search. The firm declined to respond to questions about whether it would issue data-breach notifications to consumers whose information may have been obtained by criminals.

The Experian data breach highlighted the double-edged business of data brokers who buy and sell people's personal information, but who can't be held liable if that information gets inappropriately procured or used. Likewise, consumers have no ability to opt out of having data brokers buy or sell their personal details.

On a related note, the Senate Committee on Commerce, Science, and Transportation launched a data-broker investigation in October 2012, which culminated in the release of a report in December 2013 that called into question whether the industry's self-regulation properly safeguards consumers' privacy. In particular, the report accused the nine data brokers under investigation -- including Experian -- of operating "behind a veil of secrecy."

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
pfretty
50%
50%
pfretty,
User Rank: Apprentice
3/18/2014 | 6:05:43 PM
Resolution time
It always amazes me how long it takes organizations to resolve these issues after they realize usually from a third party that something is wrong.  According to the 2013 HP-Ponemon Institute Cost of Cyber Crime report (http://www.hpenterprisesecurity.com/ponemon-study-2013), on average incident resolution takes 32 days, and the average organization deals with 100 plus attacks per year.  Time to change the culture and attitude towards preparing and maintaining a secure front. 

Peter Fretty (j.mp/pfrettyhp)
Michael Endler
100%
0%
Michael Endler,
User Rank: Apprentice
3/12/2014 | 3:23:27 PM
Veil of Secrecy
"In particular, the report accused the nine data brokers under investigation -- including Experian -- of operating 'behind a veil of secrecy.'"

No kidding. I wouldn't be a fan of Experian even if this breach hadn't occurred. Now that it has, I hope more people question the influence these kinds of companies wield.
LeeC216
50%
50%
LeeC216,
User Rank: Apprentice
3/12/2014 | 2:33:05 PM
Re: paper scissors rock.. gambling with your data
gmail addresses are more valuable than facebook email addresses.

Your suggestion that one try all login methods and then guess what data is being mined from each one is just playing paper scissors rock.

There is no valid reason informatin week needs relationship data for a comment.  Given you point out they collect fewer data points with gmail logins, it would argue that the excess collection is unwarranted.

Thus, even if someone agreed with playing paper scissors rock with the logins, information week is collecting data for no valid business reason.

They collect it to mine data.  They are part of the problem, not the solution.

Secondly, the farmed content (rewritten from Brian's article) is now linked on infosec news, and dark reading.  This is how companies hijack content, make it their own, and then propagate it.  That way they essentially take readers away from the original author.  In effect they steal content much like a scrapper site that republishes content.

Of course the business model promises great rewards, but it's all smoke and mirros.  In the aggregate, we are all poorer by such businesses that try to get grandma to buy soap a instead of soap b.

The shocking think to me is the author of the article and infomation week feel no remorse, they don't feel they hae done anything wrong.  They are, as the infamous banker said "doing God's work", so they think.

It's particularly troubling to see these folks clearly viewing themselves as on the side of 'good'.  When put up against the golden rule (do onto others as you would have them do onto you", the information mining and selling our data fails miserably.  Information week doesn't sell it's email addresses, relationships, etc.  They consider that too risky and too valuable.  But they hae no problem with mining data in exchange for posting a comment.  The price to have a voice in the internet era is very very high indeed.  Even if one does not comment, they will mine the page views, so a price to even hear about a story they stole from someone else is quite high.

And that's the great business model of big data.  It's not about actually making a product or creating content, it's about content farming and selling your data.  It's not a sustainable economic model and in the aggregate we all all poorer for it.  Some will get rich if they cash out before the 'big one', but in aggregate, we are all poorer.

 

So no, gmail address instead of facebook is just paper scissors rock.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/12/2014 | 10:40:57 AM
Re: Zero Trust
Interesting take.

On a related note, the Experian Data Breach Resolution service in November issued a report predicting that data breaches and related fraud would incresae, especially as consumers' "breach fatigue" intensified.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
3/12/2014 | 10:34:04 AM
Zero Trust
This is why I didn't sign up for Target's free credit monitoring after Target got breached. I didn't want to volunteer my information to companies like this because they are lousy stewards (not to mention I have serious problems with the whole business model).
rradina
50%
50%
rradina,
User Rank: Apprentice
3/12/2014 | 10:14:44 AM
Re: Numbers
You don't have to login with Facebook on this site.  I use a Google e-mail account.  I don't do much with it but collect spam from various places where I use it as a login.  I never use Facebook as a login, anywhere, period.  If Facebook is required, then I don't login.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/12/2014 | 9:37:22 AM
Re: Numbers
Jim: The short answer is that the database to which Ngo had access contained information on 200 million US consumers. The government has said that Ngo's clients (i.e. criminals) made 3.1 million queries. As of about 2 weeks ago (at the hearing) it wasn't able to say which US citizens had their records accessed, at least not yet. 

During the recent hearing, Ngo said that he couldn't confirm/deny the government's numbers, because he simply didn't know. 

Accordingly, if the government's count is accurate, then 3.1 million queries were made, and many, many more records may have been accessed. But when it comes to data breaches, initial counts can fluctuate wildly (in either direction).

I have a query out to Experian, asking if it can confirm the 3.1 million query number. 

From a security/privacy standpoint, the fact that an ID theft ring gained access over a period of many months to an Experian-run database that contained information on 200 million people is troubling.
LeeC216
75%
25%
LeeC216,
User Rank: Apprentice
3/12/2014 | 1:05:17 AM
Re: Numbers
1) It must be noted that to reply to your comment, I had to 'consent' to having my facebook data mined by infoweek, so let's be clear, they ARE part of the problem, and add one to the list of compromised information. :)

 

2) the numbers don't add up due to a) imprecise estimates b) a request for a record returns a page of records, thus there is a multiplier applied to the requests to get to the result and c) unclear reporting, which is likely due to lack of understanding, time pressure, and grabbing the numbers from Brian's blog instead of doing the math themselves.

 

Unfortunately, the media is part of the problem.  They feel they must repackage the story to add to infoweek 'content' rather than simply linking to it.  This is a similar model to the data brokers who copy the data and pass it around as well.  In the end, there is little 'new' content.  The money is made in repackaging and selling it, as this article does.

The problem of course, is in the aggregate, society loses while the data brokers are like gamblers who use your data as the casino chips.  Given that there is at least a non-zero chance of losing the data, through hacks such as target, or scams such as Experian, or goofs where they publish the data accidentally, and given that there no end date for the gambling, the probability of disaster is certainty.

In the aggregate, there isn't any gain from getting a consumer to buy soap A vs soap B.  In fact, there is a loss.  And given that eventually the whole thing will be compromised it becomes earily similar to the derivatives and leveraged gambling that caused the recent Great Recession.  A few will get rich.. particularly those that build the casino, gamble with your data, and cash in (sell shares to your pension fund).  They will walk away rich.. as the bankers did.

I don't think we learned a darned thing from the financial crisis.  The IT folks think they are smarter than the financial engineers because the IT folks can scale up and leverage more.

It won't end well.

Anyway, the answer to your question is in the many to one ratio of requests to records returned.  As an example, if you put in john smith you get a whole list of john smiths, and you just pick the ones you want (yup, they just let folks browse the info!).. but hey, they are paying customers.. so it's "OK".

..well, now back to blocking informationweek from my fake facebook data.. gotta run!

 

good luck.
Jim Donahue
50%
50%
Jim Donahue,
User Rank: Apprentice
3/11/2014 | 1:46:12 PM
Numbers
I'm not quite following the numbers here. Is it they had access to a database with info on 200M users but only accessed data on 3.1M?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.