When you have a company that claims to be among the most trusted data security experts commit a security lapse, then we have a big problem. Latest reports have revealed that Experian might have exposed sensitive information of millions of Americans.
Hieu Minh Ngo, a 24-year-old citizen of Vietnam, was the perpetrator and has pleaded guilty before a U.S. court for identity fraud, access device fraud, and wire fraud. While he may be insinuating that he has a mental illness, judgment will be announced on June 16. Ngo can suffer as much as 45 years of jail time.
It is not yet clear if Experian will be made liable for its data security oversight.
KrebsOnSecurity was first to scoop the story last year and now deeply looked into how Ngo's identity stealing activities is connected to one of the credit bureaus in the United States.
Based on a court filing obtained by KrebsOnSecurity, the identity theft gig of Ngo--done through his Superget.info and findget.me sites-- had raked in for him around $1.9 million for servicing over a thousand customers between 2007 and February 2013. The data for sale does not only include names and social security numbers but also home addresses, email addresses, phone numbers, birthday, among other sensitive information.
"Posing as a private investigator operating out of Singapore, Ngo contracted with Court Ventures, paying for his access to consumer records via regular cash wire transfers from a bank in Singapore. Through that contract, Ngo was able to make available to his clients access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans," reported KrebsOnSecurity.
"Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers - including Mr. Ngo). For almost ten months after Experian completed that acquisition, Ngo continued siphoning consumer data and making his wire transfers," KrebsOnSecurity added.
The U.S. Secret Service pinned Ngo in Guam during an entrapment operation that led the latter to believe that he was transacting with a big customer who can provide a sizeable amount of financial and personal records that he can resell.
Data obtained by customers of the identity theft website purportedly use them for various fraud schemes such as filing false tax returns, spending huge amounts using the stolen identity, and acquiring credit lines.
Experian has not commented about the issue citing an ongoing investigation.
A hearing was conducted in December before the U.S. Senate where the legislators looked into the data broker industry in the country. During the said hearing, senior vice president of government affairs at Experian Tony Hadley admitted that the company failed to detect the activities of Ngo until the Secret Service notified it.
"During the due diligence process, we didn't have total access to all the information we needed in order to completely vet that, and by the time we learned of the malfeasance nine months had expired, and the Secret Service came to us and told us of the incident. We were a victim, and scammed by this person," Hadley said during the hearing.
Hadley also promised that Experian will do everything to protect the affected individuals but pointed out that there has been no proof yet that the data acquired by Ngo caused any known harm to consumers.
Senator Claire McCaskill had an excellent reply.
"Well I would say people who had all their identities stolen are the real victims," the senator said.