200 million consumer records left exposed in Experian security oversight

An ongoing investigation has revealed that a Vietnamese man posing as a private investigator was able to dupe Experian in to compromising data which could equate to millions of customer records.

Last year, Krebs on Security published a story documenting the tale of 24-year-old Vietnamese national Hieu Minh Ngo, the founder of an online identity theft service. Phishing campaigns, breaking in to systems, keylogging software -- these are all ways to snatch someone's personal, financial data, but what if you can go to an agency source and simply buy the information you want instead?

Ngo, posing as a private investigator in Singapore, took this route -- and was able to purchase the financial records of U.S. consumers directly from a company owned by Experian, one of the world's largest credit monitors, in order to sell it on for allegedly fraudulent purposes.

Court Ventures, owned by Experian, is an aggregator of digital public records. The firm has a deal thrashed out with another party, Columbus, Ohio-based U.S. Info Search, so both companies can freely access each other's databases. Ngo used this to his advantage; through monthly cash wire payments, he was able to access this database and lift the data he wanted, exposing the sensitive information of roughly 200 million U.S. citizens.

Ngo was arrested last year in Guam after running the scheme from home in Vietnam from 2007 to 2013. The scam artist was arrested by U.S. Secret Service agents after the agency set up a fake business deal involving the trade of consumer data.

The Vietnamese national pleaded guilty last week, and after being charged with wire fraud, access device fraud and identity fraud, could face up to 45 years behind bars. Ngo will be sentenced on 16 June.

Brian Krebs was able to acquire a transcript of the proceedings. According to the transcript (.PDF), Ngo sold on data to over 1,3000 customers which included the addresses, previous residencies, phone numbers, email addresses, dates of birth, and most importantly: Social Security numbers of victims. The Vietnamese national was able to earn almost $2 million in exchange for over three million data-based queries on U.S. residents over an 18 month period.

The U.S. government alleges that the data was used for fraudulent purposes, including fraudulent tax returns, opening lines of credit and racking up bills in the names of victims. U.S. Attorney Arnold H. Huftalen told Judge Paul J. Barbadoro in New Hampshire District Court:

"At this point the government does not know how many U.S. citizens’ [data] was compromised, although that information will be available in the near future."

It is not known how many U.S. citizens have been damaged by the sale of their data, but Krebs believes that after crunching numbers, as many as 30 million records may have been taken and sold on to other parties.

Tony Hadley, Experian’s senior vice president of government affairs, said at the hearing Experian failed to perform due diligence and stop Ngo's activities, telling Missouri Senator Claire McCaskill that "We [Experian] were a victim, and scammed by this person."

McCaskill shot back, "Well I would say people who had all their identities stolen are the real victims."

Experian has not commented on the case, citing the ongoing investigation.