April 5, 2014

In the wake of long-overdue media attention to revelations that a business unit of credit bureau Experian sold consumer personal data directly to an online service that catered to identity thieves, Experian is rightfully trying to explain its side of the story by releasing a series of talking points. This blog post is an attempt to add more context and fact-checking to those talking points.

Experian has posted several articles on its Web properties that lament the existence of “inaccurate information about Experian circulating in news outlets and other Web sites.”

“It’s no surprise that cybercrime and data breaches are hot topics for media and bloggers these days,” wrote Gerry Tschopp, senior vice president of public affairs at Experian. “Unfortunately, because of all the attention paid to these topics, we’ve seen some inaccurate information about Experian circulating in news outlets and other Web sites. I want to take a moment to clarify the facts and events.”

I’ve read this clarification closely, and it seems that Experian’s latest talking points deserve some clarification and fact-checking of their own. Below are Experian’s assertions of the facts (in bold), followed by some supplemental information glossed over by said statements of fact.

-No Experian database was accessed. The data in question have at all relevant times been owned and maintained, not by Experian, but by a company called US Info Search.

As all of my stories on this incident have explicitly stated, the government has said the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search. US Info Search had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures’ data, and vice versa. Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including the proprietor of the identity theft service).

For its part, US Info Search says Experian’s explanation of the events is based on false statements and misrepresentations, and that the proprietor of the ID theft service paid Experian for his access using large cash payments sent to Experian via wire from Singapore.

“Experian provided access to records via a gateway that used multiple data sources and the suspect never had access to our service,” US Info Search CEO Marc Martin said in a written statement. “We, like many others, provide data to Experian, who in turn sold data to customers they approved and monitored. Our agreement with Court Ventures and subsequently Experian was to provide information that was being used for identity verification and fraud prevention.

-Further, Experian’s only involvement was that it purchased the assets of a company, Court Ventures, that provided access to US Info Search’s data to Court Ventures’ customers. Under that contract, customers of Court Ventures, including the criminal in this case, could access US Info Search’s data. This was not an Experian database, and specifically, this was not a credit database.

Experian has a duty to conduct “due diligence” on companies it wishes to acquire, because it knows that in purchasing a company it will acquire all of the company’s assets — including whatever debts, liabilities or poor decisions the previous owners may have incurred that end up creating problems down the road. Experian wants to blame everyone else, but by its own admission, Experian didn’t conduct proper due diligence on Court Ventures before acquiring the company. Addressing a U.S. Senate committee last December, Experian’s senior vice president of government policy, Tony Hadley, allowed that “during the due diligence process, we didn’t have total access to all the information we needed in order to completely vet that, and by the time we learned of the malfeasance nine months had expired, and the Secret Service came to us and told us of the incident. We were a victim, and scammed by this person.”

Also, if it wasn’t clear by now, Experian’s PR mantra on this crisis has been that “no Experian database was accessed,” in this fraud. But this mantra draws attention away from the real victim: Consumers whose information was sold by Experian’s company directly to an identity theft service. A critical question to ask to this line of thinking is: Why does it matter whose database it is, if it contains personal info and Experian profited from its sale? 

-Court Ventures was selling the data in question to the criminal for over a year before Experian acquired the assets of Court Ventures.

True. Which suggests there should have been plenty of evidence for Experian’s due diligence team to detect fraudulent activity of the sort generated by an identity theft service using its network. Perhaps just as importantly, Court Ventures continued to sell consumer records to the ID theft service for almost 10 months after Experian acquired the company.

-Furthermore, any implication that there was a breach of 200 million records is entirely false and misleading – while the size of the database may be 200 million, that does not mean the total number of records were accessed.

This publication has never stated that there was a breach of 200 million records. But it is true that KrebsOnSecurity.com was the first to report on the information contained in government statements made during the guilty plea hearing of Hieu Minh Ngo — the man who admitted to running the identity theft service. In those statements, prosecutors for the U.S. Justice Department stated that Ngo — by virtue of fooling Court Ventures into thinking he was a private investigator — had access to approximately 200 million consumer records. As I have stated previously, however, Ngo had to pay for the records he accessed, and he was running a service that charged customers for each records search they ran.

A transcript (PDF) of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity shows that his ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data on more than three million Americans.

Lastly, Experian discontinued the sales of this data immediately upon learning of the problem and worked closely with law enforcement to bring this criminal to justice, (the perpetrator has recently pleaded guilty). We are treating the matter seriously and have filed a lawsuit against the former owners of Court Ventures for permitting the sale of US Info Search’s data to Ngo (the perpetrator), and intend to hold those individuals fully responsible for their conduct in establishing access to the data for an identity thief unbeknownst to Experian.

If it really was US Info Search — not Court Ventures — whose database was accessed in this scheme, why is Experian suing Court Ventures? [Update, 9:03 P.M.: Databreaches.net has a good explanation to this question, which happens to support previous research of mine on why this breach could be far bigger than 3 million Americans).

Original story:

Here’s a far more important question that Experian needs to answer: What has the company done to make things right with the Americans whose identities were stolen because of this whole fiasco? 

Regarding those victims, Experian’s Mr. Hadley stated under oath in front of a U.S. Senate committee that “we know who they are, and we’re going to make sure they’re protected.” But, incredibly, in the very next breath Hadley seemed to suggest that none of the millions of consumers whose data was stolen by Ngo and his identity theft service had experienced any danger of identity theft or were even in need of Experian’s protection.

“There’s been no allegation that any harm has come, thankfully, in this scam,” Hadley told the committee.

For his part, US Info Search CEO Martin says it doesn’t appear that Experian is interested in notifying anyone.

“We have cooperated and assisted the authorities in their investigation and from the onset have urged Experian to make timely notifications,” Martin wrote in an email to KrebsOnSecurity. “In addition, Experian never notified us of the breach as required by state statute, and to date has not cooperated with our investigation, nor provided us with the queries the suspect ran.”

Experian has declined to answer questions about whether it has lifted a finger to help consumers impacted by this scheme, or to clarify its apparently conflicting statements about whether it believes anyone has been harmed by its (in)action. But then again, what exactly would the company do? Offer them a year’s worth of dubiously valuable credit monitoring services? Oh wait, that’s right, Experian practically invented the hugely profitable credit monitoring industry, whose services are negotiated and purchased en masse virtually every time there is a major consumer data breach. Br’er Rabbit would be so proud.

In summary, Experian wants you to remember that the consumer data sold to Ngo’s identity theft service didn’t come directly from its database, but merely from the database of a company it owns. But happily, there is no proof that any of Ngo’s customers — who collectively paid Experian $1.9 million to access the data — actually harmed any consumers.

Readers who find all of this a bit hard to swallow can be forgiven: After all, this version of the facts comes from a company that has been granted a legal right to sell your personal data without your consent (opting out generally requires you to cut through a bunch of red tape and to pay them a fee on top of it). This from a company that is quibbling over which of its business units profited from the sale of consumer records to an identity theft service.


39 thoughts on “Fact-Checking Experian’s Talking Points

  1. jdgalt

    The important thing, I believe, is getting notices sent to everyone whose data the thieves may have gotten, so that we can take preventative measures — because it’s almost a certainty that there are still copies of some of it out there in the hands of bad guys who are still at large.

  2. BillC

    Experian is obviously in CYA/obfuscation mode, with their lawyers running the show, unfortunately. They are evidently unschooled in effective crisis management.

  3. Rick Z.

    “Here’s a far more important question that Experian needs to answer: What has the company done to make things right with the Americans whose identities were stolen because of this whole fiasco? ”

    I’m sure it’s the “year of free credit monitoring” that’s so ubiquitous (and mostly useless).

    1. Rick Z.

      LOL, Brian used almost those same words a few paragraphs later. Guess I should read the whole article before commenting!

    2. meh

      Free? Surely you jest. Even though they gave away the info, they wouldn’t protect anybody for free if they can possibly help it. The sooner this sham business goes belly up the better for everyone.

      1. Lee Church

        Experian didn’t really “give away” the information to the ID thieves. Experian’s subsidiary collected $1.9 million for it.

        As a result, a company has $1.9 more dollars while claiming they are the ‘victim’. (I would love to hear Experian try the “well, the whole $1.9 million wasn’t after we bought it; they certainly included that $1.9 million in their valuation of the purchase though, and mitigation costs afterwards is like a thief complaining that the court costs to prosecute him should be subtracted from the reputed amount stolen).

        That’s the problem with this data stuff.. the future liability is not on the accounting balance sheet. Experian argues that they were duped, but the fact is it was only a matter of time until some incorrect release happened (whether via hack, or wrongly sold, shared, aggregated etc). The liability is certain, it’s a game of pass the hot potato. And regardless of the Experian/US info Searc/Court Ventures risk /blame shifting, the consumer ends up paying the price, through higher card fees, transaction costs, higher loan application fees, higher merchant prices, higher taxes, lower services etc. If enough people think slow transactions down, then the entire economy slows down (velocity of money slows, which is a huge economic problem already).

        Sometimes I think data brokers/CRAs and others with this personal data need to have a $15.6 Trillion (approximate US GDP) dollar liability listed on their balance sheet as they can wreck the US economy (hyperbole to make the point that many companies would each have the ability to wreck the US economy).

        It’s not enough to reduce the number of these data compromising events without addressing the larger tail event risks. That is an area that seems completely missing with Info security.

        Take the Experian design that gave a screen of records when someone issues a search for a single record. That multiplied the problem (scaled it up) without any particular need to do so. It leveraged for leverage sake. I doubt that even one audit or infosec guru cited the extra record returns as a problem. My point here isn’t to bash InfoSec folks, but to point out they are only solving for half of the problem. The problem they need to look at is ‘scale’.

        Being blind to half the security problem stems (in my opinion) from the way business, IT, and Infosec view data. They could not see that returning the extra records was a problem, because the value to them of those records (at that moment) was zero (The valuable record was the one being searched for). So the valuation of the records is viewed from the perspective of what it was worth to Experian/US info/Court ventures, not what damage that information could to to the people involved.

        It wasn’t a technical problem that returned those extra records, it wasn’t a one off isolated incident in considering those extra records as ‘worthless’. It was a system design that came from how they think about the data.

        When you combine these things with the moral hazard that the entire business is just gambling with someone else having the risk it puts us in a very dangerous situation that favors scaling up as large as possible, and then trying to cash in before the ‘big one’.

        That’s basically the model with Court Ventures/US infosec/Experian. The selling of the business allows the ‘risk takers’ to exit and hand the risk off. In this case they happened to not get too far (less than statute of limitations) before being held accountable. So in many ways the whole Experian thing is an easy one with a relatively ‘happy ending’.

        Anyway, I do agree with you, but technically, they had a “buy one consumer record, get who knows how many free” sale on the data. But they didn’t really ‘give it away’, they profited nicely on the sales (One couldn’t get the free records, without paying for them).

        regards,
        Lee

        1. meh

          Sorry I mean ‘gave it away’ when they give it to someone for a few bucks… To me not a huge difference. Basically like you say though, economy is heavily involved but I don’t think companies like Experian make it better – they allow people to get paid less and use credit as a crutch for things like auto repairs and home ownership that used to be much more cash and collateral based. Credit is one tool that let the owner class withhold wages for the last 35 years without us serfs noticing and uprising since we could get a ‘loan’ to get the things we need today, while many of us struggled with the repayments down the road. Their entire model allows a certain number to never pay back as a calculated risk because they know regardless of their calls and in person shakedowns that a certain number simply won’t have anything to pay them back. In that regard I think just having cash was a lot better and even moreso when it was cash for 95% of all transactions without any associated debt.

          Aside from that argument above that will never happen in the halls of congress, their business model of accumulating private data on the public and then selling it will never be securable. There is no way to send it off to India to be disputed and keep control of it. There is no way to bundle it out to millions of businesses for a few bucks without giving it away to a lot of bad apples in the process. They cannot authenticate and ration access to this data at a cost effective point, this data isn’t worth hundreds of dollars a piece to companies and for a few bucks they can’t afford much of a screening and verification process.

          Ultimately they just need to go away, as they will ALWAYS be the weak link by their very design.

          1. Lee Church

            I agree on all points. And Experian and others treating other people’s data so casually (eg. extra records being sent wasn’t a technical error, it was a design) values it to what Experian’s valuation is at any given moment. The record one is looking for is $19.95 (or whatever the price for a search is), and the other records, are ‘junk’. At another time, the $19.95 record is part of the ‘junk’, and another record is the ‘prize’.

            I agree with you, they might as well have given it away, but wanted to make clear it’s a shell game. Even Experian’s response to the incident is that the extra data is no big deal, because nobody can figure out who was, is, or will be hurt in the future from it. It could be that a record that was accessed contributes to a scam, theft or other abuse 100 years from now.. (imagine “your granmother used to live at so and so address and I was her neighbor” as the lead in to a scam that occurs from data leaked today but used 100 years from now). I am using hyperbole here, but the reality is that the data can be leveraged and then stored forever. It’s simply not possible for Experian to say whether someone will or won’t suffer, or how much they would suffer.

            If one buys into the above, then it’s not unreasonable to require liability insurance going forward forever to cover that liability(technically called “re-insurance” for coverage of past events with future liability). I don’t know any insurance that wants to cover infinite time and infinite scale of damages.

            And I agree about it requiring a larger solution (Congress). Our present course is pretty much the same as the derivatives disaster from which the world is still recovering. I do have hope the current weather changes, and there will come a day when the inherent risk of this data is allocated more fairly than handing it to grandma. Understand that our present course is simply a projection, not a forecast. While we are certain to go over the cliff if we continue, whether we continue or not is entirely a choice.

            and yes, they might as well have given it away.. “buy a hot dog and get 20 consumer records free!” isn’t the kind of sale that builds confidence they should have the data at all.

            regards,
            Lee

            1. meh

              Congress is really the only party who could make the necessary changes but I think everybody following this fully expects them to make some pitiful statement, bribe a few people, and walk away unharmed to do the same old thing as they have been. This isn’t the first breach to happen from data brokers/credit bureaus and it won’t stop until their entire business model disappears.

              I see this type of problem as interlinked to the larger economic, job, technology, healthcare, infrastructure, and other disasters that our country faces – our population kept on growing throughout the last 40 years while technology and international trade reduced the jobs by half. Those jobs are never coming back and short of killing off half of our working age population there is going to be a permanent shortage of livable wage jobs out there to get. The credit system and identity tracking are all tied into this mess to keep track of who is overextended and who can ‘safely’ handle more debt, but anybody who has ever worked in this industry knows what a sham those measurements are – they are constantly tweaking the scoring models in favor of businesses to keep on piling the fees and keep ahead of trends in the work sector so a certain portion of the people have ‘good’ credit and a certain portion have ‘bad’. They cannot fix any one of these areas without massively changing the way jobs are created, pay is distributed, taxation, and retirement planning gets funded – the status quo is very lucrative for the powers that be and they see no reason to make these changes, why would they care if your average blue or white collar worker loses their personal information 20 times a year if the losses are still acceptable to them?

  4. Paul

    I just logged in to my “ProtectMyID.com” account from Experian (courtesy of Target), something I haven’t done a couple of months.

    The main page for my account shows “Your last log in was on: April 05, 2014 at 05:57 PM (PST)”

    It is (yep) April 05, 2014 at 05:57 pm (PST).

    With an ability to track last logins like that, I really wonder what the service is doing for me….

    1. Lee Church

      At least they can claim that the ‘last login’ part of your information is as up to date as possible. 🙂

  5. femtobeam

    LOL, Brian!

    Your way of writing this with a wry sense of humor and insight into, not only the real important points, but the obvious disdain for the intelligence of consumers at the end was almost as funny as the Br’er Rabbit line.

    This is one of my all time favorites!

    It is time for a deep dive though. Who was responsible for carrying the traffic? Copies of checks and wire transfers, if possible. Class Action Law Suit by the Consumers Union? Here is their chance. Anyone who has been a target of identity theft and has been tossed around like a hot potato, knows that the blame game always works against the consumer.

    You are a champion for human rights now.

    Krebs for a Nobel Prize!

  6. orr

    Probably best to just assume one’s information has already been in the wild in its entirety and take appropriate actions while being ever vigilant.

  7. mtuckerjr

    Thanks for your comment. #femtobeam Very well said. Thanks Mr. Krebs for keeping us informed …with insight, knowledge and truth. Krebs for a Nobel Prize! (ala femtobeam). Concerned readers, follow BrianKrebs KrebsOnSecurity and any mention of him on social media sites, etc.

    1. femtobeam

      Thank you #mtuckerjr for the compliment.

  8. Lee Church

    re: 200 million records debate

    I think they are saying that they had all their records available for sale, but the criminals bought less than they hoped.

    I just shake my head at the part where Experian explains that their data is worthless. The criminals apparently paid $1.9 million for identity theft, but got nothing from it?. um.. does that mean that the data is useless? I can see that in their advertising literature.

    customer testimonial from ‘user’ Ngo from Atlanta (Georgia): “I bought $1.9 million of this useless data and loved every byte!”

    I guess that is the fungible part about data.. when it’s a liability, then they say how useless/worthless it is, but other times how the same data is worth billions.

    Warren Buffett has written that derivatives were the only investment he knew where party A sells the ‘asset’ to party B and both parties record a profit on the transaction.

    Well, this consumer data is the only asset I know that is marked after being sold by party A as worthless or valuable depending on whether party B or party C bought it.

    1. JCitizen

      Good point! Any class action should file for both malfeasance and false representation of the value of the service! HA! ]:)

      That would box them in for sure!

  9. CJ

    It appears that the lawyers are in charge of writing the press release. (At least Target had the good sense to not let that happen). They didn’t sell credit reports to the crooks, but they did sell SSN, drivers license, bank account, etc … And Experian /Court Ventures took the cash.

  10. alli

    Heres another thought….with all the breaches going on, who is making sure credit monitoring is really a legit service? Its the goto when theres trouble…..sounds more like voodoo than an actual service that can help people..

    1. Elaine

      Alli, your question is excellent and needs to be answered.

  11. aina

    And isnt usinfosearch that scammy popup ad that shows up at least every day? And my bank supposedly verifies ” through public data accessed through experian ” when you reset your password… am i exposed to this now?

  12. Jeff

    Awesome reporting!! This story is just the tip of the iceberg. There are many other instances of abuse by personal data aggregation corporations that need to be exposed.

  13. Tom

    During the time frame of this theft I had an Experian credit monitoring subscription for 1 year purchase using my Amex card via Experian’s website. Their response to my inquiry about the Russian surname whose name the credit service was sold not being close to my name on the credit card was that they would look into it. My next call was to Amex to cancel my card.

    The press has enough stories in current news about companies being sued over fraud of companies they bought that the SEC really needs to crack down on companies that are not doing the due diligence required.

  14. TheOreganoRouter.onion.it

    It looks to me like Experian is in the business of just accepting data base breaches so they can sell over priced credit monitoring service

  15. Matt

    My question is: What is the difference between the Hackers and the credit bureaus?

    The credit bureaus are all collecting, in one form or another, consumer data without the consumers permission and reselling it. The only difference I see is that the Hackers are not charging me YET to “so call” lock my data from access.

    I never gave the credit bureaus permission to collect, sell or provide access to my data, yet now they want to charge me a fee so I can see if they sold it to someone else that has used it to steal my identity.

    We need to change our thinking. Credit bureaus should be paying the consumer to “opt-in” to collect our data if you are so inclined.

    It is my belief that the 4th Amendment is still in effect but then who really knows with all these executive orders.

    We need to stop getting sucked into these finger pointing discussions and get back to “We the people” thinking.

    So when the dust settles and we read that a “Settlement” was made between all parties involved…where did all that settlement $$$$ money go? Were you who “never has standing” ever made whole for the BS you went through to regain your credit rating?

    Keep up the good fight Brian. Your running circles around anybody else on these exposures.

    1. JCitizen

      Damn right Matt!! Here’s a BIG plus one to ya! :-bd

  16. Stratocaster

    Somewhere someone’s heads should roll for the blatant failure of the “due diligence” process, not to mention the failure of ongoing security operations to detect this fraud for months afterwards. Target was a lot more massive, but it didn’t take them almost a year to figure it out.

    “First, let’s kill all the lawyers.”
    —Henry VI, Part II

    Except for the ones who will be suing Experian and prosecuting their management for fraud. The perp who bought it has pleaded out. What about the perp(s) who sold it to him?

  17. Prattleonboyo

    Krebs is the only entity in the US watching the watchers and giving consumers a modicum of accurate information when it comes to data breaches. The US govt agencies tasked with said consumer protection, meanwhile, are all in the back pockets of the industry they are supposed to be monitoring/regulating. Clearly, the US has the best govt money can buy.

  18. Ali

    Brian, thanks for taking on all these bad guys 🙂 I wonder just what it would take for people to force these companies for our consent before selling our personal data, and not just opting out of being their product. I am not holding my breath though, any action must come from the legislators!

    I am sure you are a very prudent guy, but just remember that companies can be more dangerous than the criminals you take on in Russia and Eastern Europe. Good luck and keep up the good work.

  19. AlphaCentauri

    How many people whose data was sold to Hieu Minh Ngo ended up becoming victims of identity theft? And how many of those victims purchased identity theft FROM EXPERIAN as a result of that experience, not realizing Experian’s subsidiary was the source of the data theft in the first place?

    Sounds like a class-action suit to me. Too bad the lawyers will be the only ones to get paid, and the victims will probably get a free year’s extension of their credit monitoring service.

  20. Ellen Camner

    Whenever one of the nice new Experian TV ads comes on praising its ability to protect your information, I get the urge to throw up. This makes me sick, literally.

  21. tjallen

    I wonder if some of the reluctance to legislate and regulate data brokers has to do with the not-so-secret existence of political data brokers. Could congress write legislation that regulated consumer information data brokers and business information data brokers, but somehow exempted the political data brokers?

  22. jbmartin6

    Well, they gather a bunch of public information about us, and sell access to that information to a wide variety of users. It is hardly surprising that once in a while one of those users is up to no good. The underlying issue is that all of this information, none of which is a secret, has financial value. I’d like to see liability settle on the banks for having poor authentication and on the credit agencies for reporting false information.

  23. MedicalQuack

    Here’s what I think and have been talking about it for 3 years, license ALL data sellers as you need an index to know who they all are, banks, companies, etc.

    You can’t do anything without an index and second of all excise tax those making billions doing it, like Walgreens that pulls in around 1 B a year. There’s many more like that out there.

    I said the same thing that you did, no due diligence on Experian’s part with purchasing the company.

    http://ducknetweb.blogspot.com/2014/04/one-really-good-reason-to-license-and.html

Comments are closed.