Experian ID Theft Exposed 200M Consumer RecordsID theft ring sold access to database with 200 million consumers' private data to 1,300 criminals.
A Vietnamese identity theft ring allowed criminals to conduct searches on an Experian-owned database containing information on 200 million consumers.
That information was revealed in a March 3 federal court hearing in which Hieu Minh Ngo pleaded guilty to running a business from his home in Vietnam that provided access to US consumers' personally identifiable information (PII), security journalist Brian Krebs first reported.
According to the Justice Department, Ngo sold "fulls," referring to bundles of PII that can be used to commit bank fraud, credit card fraud, and to file fraudulent income tax return requests. The fulls were advertised via a number of underground cybercrime sites, including Superget.info.
Just how big was the data breach involving the Experian database? US attorney Arnold H. Huftalen told the court that Ngo had allowed 1,300 criminals to "make more than 3 million queries of U.S. citizens' PII" over an 18-month period, according to a transcript of the hearing.
But the defendant couldn't confirm the number of records that may have been accessed, his lawyer, Michael J. Connolly, told the court. "Ngo was not aware of the number of queries that were conducted by his clients," he said. "He doesn't dispute the number. He just simply did not have that knowledge." In other words, well more than 3.1 million consumers may have been affected.
[Snowden says encryption is defense against the dark arts. See what else he said: Snowden: I'd Do It Again.]
Huftalen told the court that information obtained by Ngo's criminal clients included "individuals' names, addresses, Social Security numbers, dates of birth, places of work, duration of work, dates of employment, state driver's license numbers, mother's maiden names, bank account numbers, bank routing numbers, email account names and addresses, and other account passwords." He also said that while an exact count of the consumers whose PII was accessed by criminals wasn't yet available, "that information will be available in the near future."
According to the Justice Department, Ngo's clients made 45,000 deposits -- totaling more than $1.9 million -- to a Liberty Reserve account he controlled. Liberty Reserve, a Costa Rica-based digital currency company, was shut down in May 2013 by the Justice Department, which described it as the "bank of choice for the criminal underworld" and accused its administrators of enabling clients to launder $6 billion in ill-gotten gains.
During last week's hearing, Ngo pleaded guilty to one count each of wire fraud, identity theft, and access-device fraud, and faces a maximum prison term of 45 years. He's due to be sentenced on June 16.
Ngo, who was first arrested in February 2013 in Guam, still faces computer hacking charges filed in New Jersey federal court. According to last week's court transcript, he's also assisting with another criminal prosecution that was filed in New York federal court.
According to the Justice Department, Ngo posed as a Singapore-based private investigator to get access to Court Ventures, which billed itself as a firm that "aggregates, repackages, and distributes public record data, obtained from over 1,400 state and county sources," and which served as a reseller for data provided by US Info Search. Court Ventures was purchased in March 2012 by Experian, which is one of the country's three biggest data brokers. But Experian failed to spot Ngo's inappropriate data access, which continued for another nine months, until the US Secret Service alerted the company.
When news of the breach perpetrated by Ngo first surfaced in October 2013, Experian argued that "no Experian database was accessed" by the criminals, saying the information had come from US Info Search. The firm declined to respond to questions about whether it would issue data-breach notifications to consumers whose information may have been obtained by criminals.
The Experian data breach highlighted the double-edged business of data brokers who buy and sell people's personal information, but who can't be held liable if that information gets inappropriately procured or used. Likewise, consumers have no ability to opt out of having data brokers buy or sell their personal details.
On a related note, the Senate Committee on Commerce, Science, and Transportation launched a data-broker investigation in October 2012, which culminated in the release of a report in December 2013 that called into question whether the industry's self-regulation properly safeguards consumers' privacy. In particular, the report accused the nine data brokers under investigation -- including Experian -- of operating "behind a veil of secrecy."
Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)
Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio