200 million consumer records left exposed in Experian security oversight

200 million consumer records left exposed in Experian security oversight

Summary: Smooth words and a fake identity gave one man the power to compromise millions of private financial records belonging to U.S. consumers.

credit cnet
Image credit: CNET

An ongoing investigation has revealed that a Vietnamese man posing as a private investigator was able to dupe Experian in to compromising data which could equate to millions of customer records.

Last year, Krebs on Security published a story documenting the tale of 24-year-old Vietnamese national Hieu Minh Ngo, the founder of an online identity theft service. Phishing campaigns, breaking in to systems, keylogging software -- these are all ways to snatch someone's personal, financial data, but what if you can go to an agency source and simply buy the information you want instead?

Ngo, posing as a private investigator in Singapore, took this route -- and was able to purchase the financial records of U.S. consumers directly from a company owned by Experian, one of the world's largest credit monitors, in order to sell it on for allegedly fraudulent purposes.

Court Ventures, owned by Experian, is an aggregator of digital public records. The firm has a deal thrashed out with another party, Columbus, Ohio-based U.S. Info Search, so both companies can freely access each other's databases. Ngo used this to his advantage; through monthly cash wire payments, he was able to access this database and lift the data he wanted, exposing the sensitive information of roughly 200 million U.S. citizens.

Read this

15 tips for staying safe online and preventing identity theft

15 tips for staying safe online and preventing identity theft

What are some simple tips, tricks and best-practice methods of keeping yourself and your digital identity safe from hackers?

Ngo was arrested last year in Guam after running the scheme from home in Vietnam from 2007 to 2013. The scam artist was arrested by U.S. Secret Service agents after the agency set up a fake business deal involving the trade of consumer data.

The Vietnamese national pleaded guilty last week, and after being charged with wire fraud, access device fraud and identity fraud, could face up to 45 years behind bars. Ngo will be sentenced on 16 June.

Brian Krebs was able to acquire a transcript of the proceedings. According to the transcript (.PDF), Ngo sold on data to over 1,3000 customers which included the addresses, previous residencies, phone numbers, email addresses, dates of birth, and most importantly: Social Security numbers of victims. The Vietnamese national was able to earn almost $2 million in exchange for over three million data-based queries on U.S. residents over an 18 month period.

The U.S. government alleges that the data was used for fraudulent purposes, including fraudulent tax returns, opening lines of credit and racking up bills in the names of victims. U.S. Attorney Arnold H. Huftalen told Judge Paul J. Barbadoro in New Hampshire District Court:

"At this point the government does not know how many U.S. citizens’ [data] was compromised, although that information will be available in the near future."

It is not known how many U.S. citizens have been damaged by the sale of their data, but Krebs believes that after crunching numbers, as many as 30 million records may have been taken and sold on to other parties.

Tony Hadley, Experian’s senior vice president of government affairs, said at the hearing Experian failed to perform due diligence and stop Ngo's activities, telling Missouri Senator Claire McCaskill that "We [Experian] were a victim, and scammed by this person."

McCaskill shot back, "Well I would say people who had all their identities stolen are the real victims."

Experian has not commented on the case, citing the ongoing investigation.

Topics: Security, Data Management

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • time to yank Experians liccense to operste

    Not the first time they have been involved in substantial leaks.
  • Minh Ngo duped Court Ventures, but Experian is negligent and incompetent

    "a Vietnamese man posing as a private investigator was able to dupe Experian"

    I'll excuse the above given that Charlie is British, not American.

    The whole story is that Minh Ngo duped Court Ventures. Experian then bought Court Ventures without doing its due diligence. Am I excusing Experian? Not remotely, as they bought Court Venture's assets AND liabilities. It's a lot like buying a house in the U.S. without title insurance; you might lose your entire investment.

    Will Experian suffer any severe consequences for its negligence? Will its CEO or any corporate officer be fined or be sent to prison? Don't be silly; Mitt Romney and the Supreme Court already defined "corporation" as a person superior to humans.
    • Your analysis was pretty good

      until the idiotic ideological rant at the end. A corporation is a group of human beings who get together to conduct business. Just like a labor union is a group of human beings who get together to bargain for wages.

      All your rant proved is that you've been successfully propagandized into thinking a corporation is some non-corporeal malevolent entity.
  • calling it

    A security oversight is one choice of words. Gross incompetence, criminal negligence, stupid beyond belief are others. Given that Expedia is gatekeeper to the financial and personal identification information of millions of Americans, it is reasonable to expect them to be responsible for keeping that information secure.
    • Incorrect

      The story referred to Experian, not Expedia. We're talking finances, not travel! ;-)

      Anyway, the issue is that a company that Experian bought was guilty of releasing financial information. That makes it Experian's problem now, but that doesn't mean that Experian was, itself, at fault.
  • One hacked two more to go

    So, Experian was hacked. One down. Two more to go: TransUnion and Equifax. These are private ones. We also have pretty nice databases at IRS and NSA. I have that warm and fuzzy feeling when so many companies care about me. However if somebody steals my identity I am on my own. Isn't it?
  • Please fix the miss print below???

    Ngo sold on data to over 1,3000 customers