Risk
10/24/2013
12:18 PM
50%
50%

Experian Breach Fallout: ID Theft Nightmares Continue

Data brokers amassing gigantic data stores of people's valuable personal information are too big to not fail. Why are consumers getting stuck with the mess?

Let's review the ID theft landscape: A big business that earns millions from the buying and selling of personal information about you -- social security numbers, addresses, bank account details -- loses that information in a data breach, or maybe accidentally sells it to overseas fraudsters.

What happens next? Well, the business -- which, legally speaking, has no business relationship with you and thus can't be sued for the loss unless some immediate harm can be proven -- goes on buying and selling personal data. Consumers, however, get to keep looking over their shoulders, and bank statements, and credit card statements, wondering if some secreted stash of their personal information offered for sale via a foreign server is being bought and sold by data brokers' underground counterparts -- namely, ID thieves.

That's the situation that one InformationWeek reader I'll call "Ann" -- she asked to remain anonymous -- now finds herself in, after the news broke that an Experian subsidiary called Court Ventures was selling information directly to Superget.info, a Vietnamese fraudster service that offered customers the ability to look up millions of Americans' social security and driver's license numbers and financial information.

[ It's not just Experian. See NSA Harvests Personal Contact Lists, Too. ]

"I am possibly a victim of these people, but don't know for sure. In my case, seemingly MasterCard accounts were targeted -- a few fraudulent charges on one card, a few more on another a week or two later, and then the fraudulent creation of an online account on a third credit card for which I hadn't chosen to create my own online account," said Ann, who's the president of a small software company that sells point-of-sale software for restaurants. "When the fraudulent online account was created, it contained updates to my home address and phone number, among other changes. This was enough for the credit card company to forward an address change for me to the credit bureaus."

But Ann, who started her career as a Fortran and Cobol programmer and previously worked in the finance sector, said she wasn't tipped off about the ID theft until she received a letter that asked her to confirm a bogus address change. "At that point I alerted the credit bureaus, and am in the process of getting this mess fixed," she said. "Fortunately, the credit card companies caught this before fraudulent charges hit my statements, but it's a time-consuming nightmare."

One of the rubs in these situations is that when a consumer like Ann spots that her identity has been stolen, the culprit may not be clear. Indeed, her personally identifiable information (PII) may have been stolen several years ago, and only recently put to use.

Not coincidentally, when the Department of Justice announced the arrest of Vietnamese national Hieu Minh Ngo, 24, earlier this week on a 15-count indictment that included numerous identity theft and fraud charges, it alleged that over a three-year period he'd "offered for sale, sold and/or transferred to others packages of PII for more than 500,000 individuals."

What the Justice Department statement didn't mention, however, was that much of this resold data was purchased from a U.S. data broker known as Court Ventures, which Experian bought last year. We know about that flow of data thanks to investigative reporter Brian Krebs, who traced two-character and three-character "sourceID" data attached to information being sold by the "fraudster-friendly site" Superget.info -- allegedly operated by Ngo and a "John Doe" co-conspirator -- back to USInfoSearch.com, a legitimate data broker which previously pooled its data with Court Ventures for resale.

"The suspect in this case obtained access to U.S. Info Search data through Court Ventures prior to the time Experian acquired the company," an Experian spokesman said via email. According to Krebs, the Vietnamese criminals tricked Court Ventures into thinking they were U.S.-based private investigators. A missed red flag was that their payments always came via wire transfer from Singapore.

The obvious next step for Experian would be to issue data breach notifications to the more than 500,000 Americans affected by the breach, as well as offer identity theft services. Helpfully, of course, Experian already has the victims' postal addresses -- since it buys and sells this information -- so they will be easy to find. In addition, Experian has its own ID theft monitoring service. That said, consumers might prefer that Experian contract with a third party, given that the company itself learned of the data breach not via due diligence of Court Ventures prior to the acquisition, but after the fact, courtesy of the U.S. Secret Service.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Railroader
50%
50%
Railroader,
User Rank: Apprentice
11/3/2013 | 8:28:15 PM
re: Experian Breach Fallout: ID Theft Nightmares Continue
I Believe this Data collecting violates my constitutional rights and should be stopped immediately, I have not given these thugs my expressed written permission to collect any information, public or private, about me, or to sell same, and should be considered illegal.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/28/2013 | 3:22:59 PM
re: Experian Breach Fallout: ID Theft Nightmares Continue
Thanks for all of this. Another notable effort on this front is being helmed by Sen. Jay Rockefeller (D-WV), who chairs the Senate's Committee on Commerce, Science, and Transportation. He's written a letter to Experian, cited by security reporter Brian Krebs, demanding more information about the data breach.

Last year, the committee launched an investigation into the business practices of nine data brokers, including Experian, although the data broker has reportedly declined to answer all of the committee's related questions. Last month, Rockefeller widened the probe to include the data-sharing practices of 12 websites.
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/28/2013 | 2:49:53 PM
re: Experian Breach Fallout: ID Theft Nightmares Continue
Odd, I thought their core business was selling personal information and rating recommendations (ideally to the banks that provide it in the first place). Now with many major retailers finding that managing their own credit system is lucrative, they are buying credit reports on prospective customers as well. I've never seen anything to indicate they have more than a passing interest about the individual. Ideally, they would care who they sell to but investigating a paying customer and taking away from your own revenue is kind of hard to believe.
BGREENE292
50%
50%
BGREENE292,
User Rank: Apprentice
10/26/2013 | 12:28:41 AM
re: Experian Breach Fallout: ID Theft Nightmares Continue

Matthew, thank you for helping readers understand the tortuous chains of corporate responsibility involved in management of personal financial data. Experian has been a problem of late, as your article details at length.



As with Experian-- which claimed the security breach (somehow) was beyond its control after acquiring Court Ventures because Court Ventures was already (allegedly) compromised-- denial seems the first corporate reflex.

But if managing securely all data access by third parties to bank and fund accounts is not fundamentally a fiduciary responsibility, what could else could it be? Denial of responsibility seems the least acceptable response of those whose job was, and is, to manage data security for depositors' assets in trust. In this age of digital commerce, data security, itself, is a primary client asset.



Aside from a federal regulatory review of such issues, it now appears only sweeping and thorough legislation can address the endemic problems of data security. Readers can contact Sen. Elizabeth Warren, a strong consumer financial rights advocate, at http://www.warren.senate.gov/ or the federal Consumer Financial Protection Bureau, director Richard Cordray, at http://www.consumerfinance.gov...
TerryB
50%
50%
TerryB,
User Rank: Ninja
10/25/2013 | 5:08:51 PM
re: Experian Breach Fallout: ID Theft Nightmares Continue
Strike two against Experian. Those clowns were just on 60 Minutes in last year because they can't even get their core business correct, removing bad credit information from their database even after the person shows them it was incorrect. The takeaway from 60 Minutes report was they don't care, doesn't impact their bottom line.
Tom Murphy
50%
50%
Tom Murphy,
User Rank: Apprentice
10/25/2013 | 4:51:55 PM
re: Experian Breach Fallout: ID Theft Nightmares Continue
Good story, Matthew. I think this all reflects how technology has outpaced society's ability to cope with new issues like abuse of PII. We've always had PII and we've always had people who abused that info for illegal personal gain -- crooks. There have always been companies that compile personal information -- an industry that goes back a century, at least. What is new is the speed with which that information can be shared and resold -- quite legally -- and the abused illegally. And the problem will get much worse very quickly, as big-data-skimming analytics tools piece together such things as your mother's maiden name, your pet's name, your hometown, and childhood friends from social media, where billions of people generously post such information daily.
What to do? A) End the current weak methods of online payments and replace them with biometric systems that confirm the ID of the buyer; B) Require credit montoring companies to red-flag changes in contact information to the individual involved; C) Create a universal registry to help victimized consumers identify and quickly correct fraudulent entries in ALL their credit accounts simultaneously.
The failures of the current system should not fall on the shoulders of the victims, who are usually technically ill-equipped to combat the technologically sophisticated crooks who are victimizing them.
Other ideas?
archangelnikk
50%
50%
archangelnikk,
User Rank: Apprentice
10/25/2013 | 2:26:29 PM
re: Experian Breach Fallout: ID Theft Nightmares Continue
Really shows the bad guys will stop at nothing to acquire consumer information, and as well the lack of controls big business has protecting that data...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?