In October 2013, KrebsOnSecurity published an exclusive story detailing how a Vietnamese man running an online identity theft service bought personal and financial records on Americans directly from a company owned by Experian, one of the three major U.S. credit bureaus. Today’s story looks deeper at the damage wrought in this colossal misstep by one of the nation’s largest data brokers.
Vietnamese national Hieu Minh Ngo pleaded guilty last week to running the ID theft service Superget.info.
Last week, Hieu Minh Ngo, a 24-year-old Vietnamese national, pleaded guilty to running an identity theft service out of his home in Vietnam. Ngo was arrested last year in Guam by U.S. Secret Service agents after he was lured into visiting the U.S. territory to consummate a business deal with a man he believed could deliver huge volumes of consumers’ personal and financial data for resale.
But according to prosecutors, Ngo had already struck deals with one of the world’s biggest data brokers: Experian. Court records just released last week show that Ngo tricked an Experian subsidiary into giving him direct access to personal and financial data on more than 200 million Americans.
HIEU KNOWS YOUR SECRETS?
As I reported last year, the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search. US Info Search had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures’ data, and vice versa.
Posing as a private investigator operating out of Singapore, Ngo contracted with Court Ventures, paying for his access to consumer records via regular cash wire transfers from a bank in Singapore. Through that contract, Ngo was able to make available to his clients access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans.
Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including Mr. Ngo). For almost ten months after Experian completed that acquisition, Ngo continued siphoning consumer data and making his wire transfers.
Until last week, the government had shared few details about the scope and the size of the data breach, such as how many Americans may have been targeted by thieves using Ngo’s identity theft service. According to a transcript of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity, Ngo’s ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data.
The government alleges that the service’s customers used the information for a variety of fraud schemes, including filing fraudulent tax returns on Americans, and opening new lines of credit and racking up huge bills in the names of unsuspecting victims. The transcript shows government investigators found that over an 18-month period ending Feb. 2013, Ngo’s customers made approximately 3.1 million queries on Americans.
“At this point the government does not know how many U.S. citizens’ [personally identifiable information] was compromised, although that information will be available in the near future,” U.S. Attorney Arnold H. Huftalen told Judge Paul J. Barbadoro in New Hampshire District Court earlier this month. “And we don’t know because the way the process worked was a bad actor could type in the name of an individual and a state…”
Huftalen’s explanation was interrupted by Judge Barbadoro, who told the courtroom he was late for another engagement. However, based on my own experience with Ngo’s service, I believe Mr. Huftalen was trying to explain that because of the way that Ngo set up his identity theft service — variously named “Superget.info” and “findget.me” — each customer query in fact returned multiple records.
The “sourceid” abbreviations in Ngo’s Superget.info identity theft service pointed toward Court Ventures.
When I first became aware of Superget.info, I conducted a search on my own information, asking Ngo’s service to return any information on a Brian Krebs in Virginia. That query produced several pages of results, with each page containing at least ten different records full of personal data on multiple individuals — including my correct records. Revealing the more sensitive data for each record — including the date of birth and Social Security number — merely required clicking a link within each listing on the page; each click would result in a small amount being deducted from the customer’s balance.
The point is that each query on Ngo’s service almost always exposed multiple records. That means that if Ngo’s clients conducted 3.1 million individual queries, the sheer number of records exposed by Ngo’s service is likely to have been many times that number — potentially as many as 30 million records.
EXPERIAN: ‘WE’RE GOING TO MAKE SURE THEY’RE PROTECTED’
Beyond acknowledging the broad outlines of the government’s claims against Ngo, Experian has refused to discuss the matter. “Due to an ongoing federal investigation, we have been asked not to comment beyond the information we have already shared to ensure nothing impedes the progress of the investigation,” Experian spokeswoman Susan Henson said in an emailed statement.
Experian’s Tony Hadley, addressing the Senate Commerce Committee in Dec. 2013.
The few public statements that Experian has made regarding the incident came in a hearing last December before the Senate Committee on Commerce, Science, & Transportation, which was examining the data broker industry.
In that hearing, Missouri Senator Claire McCaskill grilled Tony Hadley, Experian’s senior vice president of government affairs. Every other senator on the committee focused on Experian’s practice of profiling consumers, but McCaskill used her time to question Hadley specifically about the company’s role in Ngo’s ID theft service.
Hadley acknowledged that Experian failed to conduct the due diligence needed to detect Ngo’s activities prior to or anytime after acquiring Court Ventures. Indeed, Hadley said that Experian didn’t learn about Ngo’s activities until after being notified by the U.S. Secret Service.
“During the due diligence process, we didn’t have total access to all the information we needed in order to completely vet that, and by the time we learned of the malfeasance nine months had expired, and the Secret Service came to us and told us of the incident,” Hadley told McCaskill and other panel members. “We were a victim, and scammed by this person.”
The Missouri Democratic senator shot back: “Well I would say people who had all their identities stolen are the real victims.”
“And we know who they are, and we’re going to make sure they’re protected,” Hadley assured the panel. But incredibly, in the very next breath Hadley seemed to suggest that nobody had proven or alleged that any of the records its company sold to Ngo had resulted in harm to consumers.
“There’s been no allegation that any harm has come, thankfully, in this scam,” Hadley said.
I asked Experian to explain the apparent inconsistencies in Mr. Hadley’s statement, and to clarify whether the company had already begun to offer protection or service to anyone impacted by this scheme. So far, the company has declined to respond to those questions, citing the ongoing investigation.
But the evidence offered by the U.S. government strongly suggests that many people were injured by Experian’s lack of due diligence. Addressing the court at Ngo’s guilty plea hearing last week, U.S. Attorney Arnold H. Huftalen said the evidence was clear that Ngo’s customers purchased data from Experian’s firm with the intention of stealing the identities of consumers.
“The U.S. Secret Service has conducted investigations into many of his customers, all of whom have stated that they only obtained the information from Mr. Ngo to engage in criminal fraud,” Huftalen said. “The evidence would establish that at the time Mr. Ngo knew that he was providing the information for others to engage in fraud.”
It remains unclear whether Experian will ever be required to answer for its costly oversight. Mr. Ngo, on the other hand, is facing a lengthy prison sentence. He is charged with wire fraud, access device fraud and identity fraud. The maximum possible prison term for all three offenses combined is 45 years. Ngo may also be fined up to twice the gross gain resulting from his offenses, or twice the loss to consumers, whichever is greater. Ngo is slated to be sentenced on June 16th.
A full copy of the transcript from Ngo’s guilty plea proceeding is available here (PDF).
Sounds like lazy oversight more than anything by Experian. This also calls into question the completely unreasonable over-reliance on SSNs as personal identifiers in the U.S. Too easy to steal and fabricate.
This is probably a good argument for a national ID, ideally biometric, as anything else. After all, it’s not like credit reporting is going anywhere.
I agree. Personal details which constitute identity theft seem to be all too easy to steal, and how are the victims ever to be compensated?
I’m sure they’ll be happy to offer you a free credit report.
“This also calls into question the completely unreasonable over-reliance on SSNs as personal identifiers in the U.S.”
SSN as a personal identifier isn’t the issue. The issue is using SSN as proof of identity. It’s not designed to be a secure number, yet here we are, using it like a password.
I disagree. At least a Social Security Number can be changed, albeit with great difficulty. If we start using biometric data to identify people instead of the SSN, and an identity thief steals the digital representation of your biometric data, then you will *never* be able to change your identifying characteristic…
Absolutely true. The only place biometric data should be used is in high-security, military installations where the validation systems are NEVER online: not for testing, not for data transfer, NEVER.
The Social Security number is a FINE identifier. The problem is that it is used as an authenticator.
Exactly. Biometrics make fine “usernames” but are worthless to replace “passwords” or the equivalent. Any system where you have to share a secret with someone else to allow them to authenticate you is stupid. Digital signatures, zero-knowledge proofs, and the like are the only way important authentication should be done.
I completely agree. Its time LOA-4 NIST 800-63. The industry will have to.
Yes, the answer to a problem in which companies cannot secure personal data is to….wait for it…provide even more personal data that they can’t secure. Great idea!
Not necessarily, Brian. Obviously, trading one set of falsifiable identifiers for another doesn’t do much. Tokenization of my identity, on the other hand, would be a much stronger option. Tokenization based on a biometric signature would be best, because then it really would be very, very hard to counterfeit. (Not impossible, but nothing is 100% secure.) Subtracting the biometric part, this is the direction I understand Target is going in now, but you probably know more about than than me.
More generally, given the relative ease of finding information like SSN/addresses/names/etc., all of our verification systems for identity need hardening.
It sounds like the people running Experian today are the same ones who ran T.J. Maxx back in 2007. Their primary concern was to admit as little as possible and disavow as much as possible. They had no concern about the consumer except where it hurt their bottom line.
Experian is also the company Target picked to provide credit monitoring services to 110 million customers of their breach.
No mention that the monitoring would be by a Vietnamese firm.
https://creditmonitoring.target.com/
Not to mention that I had 2 cards compromised in the Target breach, requested credit monitoring three times, and have yet to receive the signup email. Sigh.
You might want to do some research on the so-called monitoring being offered for victims of the Target breach. It is a joke compared to monitoring offered by companies like idRadar and Lifelock. Experian should be fined every time their commercial airs! They are too busy shredding information to send you that sign up email. Good luck!
This should be sent to every member of congress
Thank goodness the FBI brought this miscreant to justice!
Clyde are you being provocative? He was arrested and brought to justice by the U.S. Secret Service, as mentioned in the story.
How did the credit bureaus acquire such power in the first place?
Also, gotta love Experian’s priorites. They make it difficult to look at your own data and correct mistakes, but they’ll let some dude posing as a US-based PI have full access. No matter that he’s actually in VietNam and he’s paying by wire transfers from Singapore. No red flags there, eh Experian? Why would any PI have access anyway? Can I become a PI and start rifling through everyone’s credit info?
It seems if you pay enough money per inquiry you can have as much data as you can use.
Unfortunately yes, it is all too easy to access incredibly personal info for a price. However, I would be careful not to paint all PI’s and the like with the same brush as Ngo. I’m now a financial crimes investigator, and I follow the same code of ethics I did as a skip tracer.
Sadly, yes you can. I looked into this not long ago and you would be interested to see how much data you can get access to with a P.I. license, or the ability to appear as someone who is an investigator. You can also get almost as much data simply by using marketing databases, signup, pay the fee and you are in.
It should come as no surprise to any of us that the information we gave as far back as the 80’s can still be pulled up. Enjoy your research!
“How did they get this power in the first place?”
I don’t know, but it’s a good question, as in, “Who died and put them in charge of this data?”
Some day, people will wake up and realize that _all_ aggregation of data on citizens and consumers–including implicit aggregation, where information is only transiently collected–by governments, data brokers, retailers, or anyone else only makes the inevitable compromise that much more damaging.
Today’s highly connected world has ushered in an era of new risks along with new opportunities. We’re woefully prepared for these risks when policymakers don’t even know what an ISP is. Time and time again we see appalling breaches of massive repositories of private information, and time and time again we see our politicians and corporate leaders stick their heads in the sand and ignore the root cause.
What’s needed is a new paradigm, where data aggregation is outlawed, and where decentralization and previously-fantastic cypherpunk ideas for cryptographic identity verification, blinded signatures, provably-anonymous digital cash systems, and the like become standard.
PCI or HIPAA compliance will simply never be enough. Where cryptography can be used to protect individual privacy while providing strong authentication, it must. Where it (yet) cannot, information decentralization is the only way to mitigate the inherent privacy risks. Unfortunately, I worry that a combination of policymakers’ lack of insight, corporate leaders’ pursuit of cost reduction, and “Big Data’s” (or, more aptly, “digital anal rapists'”) penchant for massive warehouses of private information will prevail and ensure the fundamental reforms we need will never see the light of day.
I really wonder what would happen, when the records get published via torrents to the public?… End of the world? 😉
What I find amazing is that there is no information about this in the mainstream news. I just did a Google news search on “Experian” and get nothing except a few minor Target references. It’s like a media blackout.
And the reason for at least some of the Target references? Target is offering its victimized customers a free year of credit monitoring by…Experian.
Amazing!
And, that’s a direct compliment to Brian Krebs. This is why we read his material with such gratitude.
Incidentally, only slightly off topic in this “privacy” thing – let’s not have too much angst for those nitwits who post pictures of their genitals via the Internet and then shriek and yell for the A.C.L.U. to “protect my privacy”.
There’s lots of politically correct hypocrisy clouding this “privacy” thing.
All users of this Internet should have a healthy attitude of caveat emptor and stop their whining when they’re really goosed.
If you want “privacy” in the old fashioned sense, be retro [gasp!] and use cash…..again.
Electronic convenience can be a big trap.
My earlier comment here was intended as a P.S. supplement to:
“KP
March 10, 2014 at 7:53 am”
Did Experian’s purchase of Court Ventures give customers of Court Ventures access to more data than they had prior to the aquisition? I’m not defending Experian, but it does make me wonder if we would have heard about this had Experian not purchased Court Ventures.
I am surprised no one is mentioning that Experian (and Axciom and Epsilon) were covered in a 60 Minutes segment last night (Sun 3/9/2014).
It was a very revealing segment about the “data mining” industry. Besides the hackers wanting our information, seems we have a whole industry in the US after it also.
You mean Google? …and following suit, Yahoo! & the like.
Google demands that we be personally identified and uses the smokescreen that it’s for the sake of commenting on YouTube. BS!
(No, I didn’t see the 60 Minutes piece. Thanks for mentioning it.)
The 60 Minutes segment specifically mentions that Google does not sell the information to anyone.
Transcript of the segment is here :
http://www.cbsnews.com/news/the-data-brokers-selling-your-personal-information/
Brian, nice job of exposing, once again, the lack of focus by US corporations on securing their customers’ data. Please keep up the great work!!
Just another example of trying to pretend that public information is going to be kept secret. As other comments hinted, using information which we have to give to hundreds of organizations as an authenticator is an inherently flawed system.
I hate it when I am asked by a company on the phone for my date of birth, or mother’s maiden name, or last 4 of my social, “for security.” I laugh at them and not-so-politely point out to them that THAT’s not security at all!
Should I file a Form 14039 with the IRS citing “Experian data breach”?
Is it possible that a lawsuit can be filed against companies that don’t take the proper action to prevent the loss and compromise of their clients’ personal information?
It seems that right now they might or might now help with account monitoring but generally leave the victim to deal with the mess.
Based on this latest breach (in concert with others) I think we can safely assume two things: (1) all Americans have had or will have their identities compromised; and (2) many of the bad actors are foreign nationals, out of the reach of US law enforcement. When people with the fine intellectual capacity demonstrated on this board are seriously recommending a return to a cash-based society, we also are seeing the beginnings of a collapse of our consumer based economic system which is based on trust after all. We are therefore looking at problems that far out-strip individual cases of fraud. Individuals will have their assets stolen certainly, but so will countless businesses which will have to make up the losses.
The horse is out of the barn, folks, but we can still catch him, I think.
How do we fix such a broken system? As someone upthread noted, the fix isn’t necessarily better technology. I would maintain that the fixes are systemic. A few thoughts:
Require Experian, et al., to freeze everyone’s credit in their systems and personally contact individuals when any inquiries are made on their records. I don’t care if it is expensive for them to do. They owe us.
Require the Social Security Administration to reissue numbers to each and every American, and do it using non-internet connected computers. The numbers could be sent to employers and account holders to get the information to individuals. If people don’t get their numbers they should have to physically go to an office and apply, showing proper ID.
Require all merchants accepting credit cards to do so in non-internet connected systems, only uploading transactions in heavily encrypted batches at set times. They owe us, too.
Chip and pin or biometric ID based credit transactions.
Further suggestions welcomed.
The entire premise of credit bureaus and data mining is to create a massive database of secret information that is cheap for them to acquire and sold out to pretty much anybody that wants the info. So long as their goal is to make information hidden to you that you cannot fix but anybody else can buy, we will continue to have these problems. With breaches like this, there is virtually nothing you can personally do to prevent them – not when these guys will give your every identifying tidbit of info away for a few cents. Credit bureaus are a sham and will ALWAYS be a very weak link in security.
“personally contact individuals when any inquiries are made on their records”
Good idea, but it needs to go farther. Permission should be required BEFORE credit inquiries are made. We also need to eliminate companies being able to send pre-approved credit card offers, i.e. return to around 1980. This would eliminate easy credit, but where’s the harm in that? Of course, this would require Congress to pass legislation returning ownership of personal data to people as compared to corporations.
“Require the Social Security Administration to reissue numbers to each and every American”
There are only 1 billion possible numbers. Given that we currently have 300 million people and that many numbers were retired after the owner’s death, we are rapidly reaching the point where we need to expand the pool of numbers. Instead of xxx-xx-xxxx, it needs to be xxxx-xxxx-xxxx-xxxx or even longer. It’s a lot like the Y2K issue when you think of it. And usage of invalid SSNs should be valid reason for the FBI to investigate, which will give a free benefit of eliminating most illegal immigration.
They will never re-issue SSN en masse – the collection companies strongarm and bribe our leaders so they can keep on harassing people over debt even if it is many years past the state limitations … With well over a trillion owed on student loans alone, they will never voluntarily allow any kind of a random reassignment, and when all the old info is easily mapped to the new there wouldn’t be much point in reassigning numbers would there?
I see your point, but I disagree. And I was not advocating the re-issuance of SSNs en masse.
The FTC could create a scheme similar to bankruptcy court where creditors are notified of the event. For people also declaring bankruptcy, adding another step would be easy: for Chapter 11, only student loans are transferred; for Chapter 13, negotiations for all loans except student loans would start (students loans escape the long arm of bankruptcy court thanks to Bush). Debts within the FTC jurisdiction and Chapter 13 bankruptcy would require creditors to change the SSN within their records; they would not map it.
Still at some point in the records it would have a ‘goto xxx-xx-xxxx’ note that the creditors including anybody buying the records would see, basically negating any benefit of changing those numbers around.
Not if the law requires creditors to delete the old number, e.g. the same type of thing that happens in witness protection programs.
You are missing the point – the crooks have access to the same information as the creditors do, aka it wouldn’t matter if they get reassigned, deleted because the person’s info still exists at a moment in time that can be captured and abused. The legal abuses are often just as bad as the illegal ones. Someone up above was talking about skip tracing – which exists because customers have few viable ways to nullify incorrect information or debt that has expired. Today there are millions of people in this country with debt that was either never correctly validated or is decades old that is still being passed around and getting looked up, reported, and reaged instead of falling off the state limits like it was supposed to – and these bottom feeding predators cause similar if not worse damage as fraud. The entire system is inherently set up to create a climate conducive to abuse as a business model and that is what you are not seeing.
Long story short, you cannot fix this with a simple band-aid – the entire business model is designed to covertly gain often incorrect information about us, and sell it to others for a cheap price. Their entire business model relies on 2 things – that you cannot view or change this information easily, and that it is up for sale to as many people as possible. Both of these core tenets of the credit system run counter to a secure security posture and no amount of tweaks under the hood will change what is inherently designed to be an intentional privacy breach for money.
and who did TARGET turn to – for monitoring?
Experian!
Face it – your (all of ours) identity has been stolen – just a matter of time before it’s used against you
“Huftalen’s explanation was interrupted by Judge Barbadoro, who told the courtroom he was late for another engagement.” What? Is this a new form of judicial multitasking?
Great article, Brian – thanks!
“Experian Lapse Allowed ID Theft Service Access
to 200 Million Consumer Records”.
Massive lawsuit against Experian (by 200m people…).
Experian’s days are ** OVER **.
The fun catch is they make you prove you have damages specific to that breach. That part is hard to do.
KOS wrote “Ngo was able to make available to his clients access to … records on more than 200 million Americans”
To paraphrase an old joke, there are only two kinds of Americans: those who have had their identity stolen and those who will.
The only way this nonsense will stop is if CEOs and other corporate executives responsible for data loss are perp-walked, prosecuted, and imprisoned with no plea bargains. However, considering how many banksters have been prosecuted — virtually none — don’t hold your breath.
P.S. If you missed last night’s 60 Minutes episode, “The Data Brokers: Selling your personal information,” watch it today online.
Why would anyone ‘need’ to see a SSN from Experian? If someone filled out the Credit App, the person should be able to type it in, and be told it either matches or doesn’t… Experian should not even be able to display it, just have a Hashed value (salted) that they can reference. People need to get out of the viewpoint they need to see it, they don’t… they need to confirm it!
This article is a joke. It’s simply Krebs looking for publicity.
The problem happened when Court Ventures made the deal with Hieu Minh Ngo. This was many years before Experian bought them. The problem for Krebs is no one cares about the name Court Ventures.
Yes, Experian should have done a full investigation after buying Court Ventures and I am sure they, just like Equifax, LexisNexis…. will all do that from here out.
How are they going to track one bad apple among millions of international contracts they have had? What is to stop anybody in the world from creating a ‘collections company’ and doing the same thing at will for years before getting caught? The only real security check they do is check to see if they got paid, after that they really don’t care.
“The problem happened when Court Ventures made the deal with Hieu Minh Ngo. This was many years before Experian bought them.”
Experian bought Court Ventures along with its assets and liabilities, as is typical. Experian’s duty (due diligence to protect its shareholders) was to investigate Court Ventures before the purchase. And Experian’s boast that “our national public record repository, covering over 90% of the U.S. population” implies that Court Ventures is an integral part of Experian today.
http://www.experian.com/public-records/public-records.html
It is estimated at least 50% of credit reports contain major errors – if they cannot fix those, often with the victims TELLING them that there are errors, how would they flag this supposed PI as a problem in a batch of who knows how many clients they had? That is why these clearing houses of private information will always be a weak link, because there is not a way they can weed out the ‘new companies’, ‘collectors’, ‘private investigators’, etc until they cause massive breaches for a substantial period of time.
I agree with what you wrote, but that’s a different subject. Experian was required to investigate all contracts and liabilities before tendering an offer for Court Ventures. It’s like buying a house without hiring a title insurance company.
The answer to your issue is allowing the FTC to hammer companies which deal in personal data, including large fines based on a percentage of the company’s gross.
First, everything Saucymugwump said. Second, the extreme sensitivity of Experian’s business requires an investigation of a candidate for purchase to be equally extreme. Let Experian’s situation be a lesson for us all.
The joke is on us if we don’t see the elephant in the room. This guy is not the only one who is using the credit bureaus for this purpose, he is just the one who got caught. The root cause was not Experian, but they got left holding the bag so it is relevant and useful information, even if your opinion about Krebs was included. Which I disagree with. Krebs does a good job and does need to seek headlines, he already has them.
Experian made their first serious error when they contracted with Court Ventures to allow CV clients access to InfoSearch data, without ensuring that Court Ventures had appropriate measures in place to vet clients (which clearly they didn’t).
Experian then purchased Court Ventures and allowed the fraud to continue for months. And it’s unclear who much longer it would have gone on had the Secret Service not brought it to Experian’s attention. Anyone care to guess how many other fraudulent accounts there are which haven’t been uncovered yet?
After reading this , it reminds me about that website that had all the famous people’s P.I.I . posted on it for a short period of time about two or three years ago. You wonder if the information came from this guys illegal activities ?
There is only one way to make sure that similar corporate negligence will stop hurting real people. It is the highest time that we push for a change on how financial services can be obtained in this country by requiring that the banks are responsible to verify people’s identify, and if they don’t than they would have to swallow all financial losses generated that way. When banks will be required to prove that an account is truly yours, or else they simply loose the money, the identity theft will stop being a problem in a single day.
The current situation is a mess because it requires a victim to prove that an account opened by a thief is not theirs. It makes it easy for banks to offer plenty of credit and then blame everybody else. No one else is allowed to claim out of thin air just by using an SSN knowledge that for example an old friend owes them money. If you want to do this, the burden of proof is yours. Why are banks (and other financials institutions) exempt from this?
The same reason corporate taxes have been slashed and the FED is giving billions of dollars a month in free money, because we live in a system that privatizes profits and socializes losses, and the gullible public swallows every self serving statement the billionaires make about not being able to afford things like security without massively raising their prices.
“FED is giving billions of dollars a month in free money”
Wall Street casinos, treated as banks by Clinton, Bush, and Obama, are able to borrow money at 0% interest from the Fed discount window and then carry-trade and/or gamble with it on derivatives. And then when an enormous loss is made, e.g. the London Whale, not only is the top dog not fired, he receives his usual $20 million largesse.
“we live in a system that privatizes profits and socializes losses”
True, but it is important to note that both political parties contribute. Many fools blame one party or the other, when the truth is that Clinton created the conditions for the new game, Bush created the bailouts, and Obama continued everything. And no one was prosecuted, except for a few like Madoff who could not be ignored.
Wealth is global, and the global wealthy are pouring money into high yield investments and banks who act only in the interest of the banks. They channel extreme amounts of money worldwide into creating exactly the sort of system they want to funnel more money to the top. We don’t have the system we have now by accident.
I am trying to “follow the money” (or rather the data here). Someone feel free to correct me if I’ve got this wrong:
Ngo buys access to a database from Court Ventures. Court Ventures populates it with names, social security numbers, and other goodies from US Info Search. Later on, Experian, which probably has all this data (and more) already, buys Court Ventures and along with it, Court Ventures’ customers, including the data siphoning Ngo.
What legitimate reason does US Info Search have for storing and selling this data (ok, trading it to Court Ventures)?
So, is it that simple to go and purchase personal data? Why are any of these companies allowed to sell huge blocks of financial data? I can understand the need for banks, retailers, prospective employers, etc. to perform ad hoc credit checks on individuals, but any time any entity wants to acquire more than one record, the data aggregators like Experian and US Info Search ought to be asking “why?”
Hear, hear!! 🙂
Congress needs to require all Experian executives to resign as a prerequisite to being allowed to stay in business. Unfortunately, expecting the Federal Government to do anything of value (read “hold companies accountable”) is naïve at best.
Ah, but this is why we have corporations; so that personal accountability and liability no longer exist.
Well, I am glad I am at least no longer under the impression that the safety of my personally identifiable information is in my own hands. At some point, I think we have to ask ourselves not that whose information has been hacked, but rather whose information has not been!
I hope that companies are held accountable for short changing our privacy for their bottom line.
Lending agreements give the banks permission to access credit reports and report to the credit bureaus.
The question I have is, who gave the credit bureaus permission to collect my personal information and make a profit selling it? I don’t recall signing any releases to the credit bureaus.
Then they put you through hell if you try to correct errors in your own personal information. I should be PAID to personally verify that the information is correct as it makes their product more valuable.
Something is not right in this system.
Indeed, something is not right, however, you did gave them permission to store and sell your information. It is in the fine print of any creditcard, bankaccount, etc agreement you sign.
The problem here is the business model. The credit-report companies live almost solely on selling this data. So there is no way they’ll stop collecting. And the buyers, don’t care about the privacy of you and me, but just want this data. If something is wrong, they’ll just error on the wrong side and give you no loan or a higher rate. So both have no issue with how the system works today. They don’t see it as broken.
The hard truth is, these system were never created for us, so don’t have much regard for the our interests. We are the data being sold, that’s all.
This is getting serious and more of these breaches will happen as the business grows and data brokers proliferate. To protect individuals the government should immediately institute a PIN number system with all social security inquiries or filing of tax refunds. It should also be against the law for any business to keep the PIN information in their files. Not taking such measures is just incompetence. Government records are as important as bank accounts data and we have PIN numbers for that information. Why isn’t the government doing more?
Great job, Brian.
seems strange that some tort king hasn’t filed a class-action suit. I would think it is ripe for such action
I have a background in demographic data for marketing purposes (long ago, a company I worked for owned D&B Market Data…)
I’ve always said that Big Brother is not the gov’t… it’s market research data firms.
An example of the kind of data commercially available 20+ years ago (in this case we declined to do an agreement with the vendor; but this was a very real product).
“They” (a nameless vendor) had on offer a disk with every collectable bit of information on every resident of California, AND THEIR FAMILY. If they could find it, it was in there, including:
* All assets with Title (cars, homes, boats, etc)
* All investments with any public aspect (eg stock options)
* Every address and phone number they could find, including unlisted
* Businesses, employment
* Birthdays, anniversaries, etc
* Every election and/or primary you were registered in, which party registered, and whether you voted or not. (NO not how you voted 😉 )
* All publicly available donations
* Education data
* Loan data
* Credit reporting data
* and more
All of that was $250 retail for the biggest state in the US.
Not hard to imagine how such info could be misused/abused…
We felt awful just seeing that this collection existed.