October 1, 2014

A Florida man was sentenced today to 27 months in prison for trying to purchase Social Security numbers and other data from an identity theft service that pulled consumer records from a subsidiary of credit bureau Experian.

Ngo's ID theft service superget.info

Ngo’s ID theft service superget.info

Derric Theoc, 36, pleaded guilty to attempting to purchase Social Security and bank account records on more than 100 Americans with the intent to open credit card accounts and file fraudulent tax returns in the victims’ names. According to prosecutors, Theoc had purchased numerous records from Superget.info, a now-defunct online identity theft service that was run by Vietnamese individual named Hieu Minh Ngo.

Ngo was arrested in 2012 by U.S. Secret Service agents, after he was lured to Guam by an undercover investigator who’d proposed a business deal to expand Ngo’s personal consumer data stores. As part of a guilty plea, Ngo later admitted that he’d obtained personal information on consumers from a variety of data broker companies by posing as a private investigator based in the United States.

Among the biggest brokers that Ngo bought from was Court Ventures, a company that was acquired in March 2012 by Experian — one of the three major credit bureaus. Court records show that for almost ten months after Experian completed that acquisition, Ngo continued siphoning consumer data and paying for the information via cash wire transfers from a bank in Singapore.

After Ngo’s arrest, Secret Service investigators in early 2013 quietly assumed control over his identity theft service in the hopes of identifying and arresting at least some of his more than 1,000 paying customers.

Theoc is just the latest in a string of identity thieves to have been rounded up for attempting to purchase additional records after the service came under the government’s control. In May, I wrote about another big beneficiary of Ngo’s service: An identity theft ring of at least 32 people who were arrested last year for allegedly using the information to steal millions from more than 1,000 victims across the country.

In April, this publication featured a story about 28-year-old Dayton, Ohio resident Lance Ealy, whom the government alleges also used Ngo’s services to steal financial records used for tax return fraud.

In October 2013, KrebsOnSecurity broke the news that Experian’s subsidiary was a major contributor to Ngo’s identity theft service. In subsequent hearings on Capital Hill, Experian executives assured lawmakers with the curious contradiction that the company knew who the victims were and that they’d be taken care of, but that there was no evidence that any consumers had actually been harmed as a result of Experian’s oversight. It remains unclear if Experian, Court Ventures or any other firm duped by Ngo will ever be made to fully and publicly account for the damage done here, although earlier this year several state attorneys general announced that they’d launched their own investigation into the matter.


58 thoughts on “ID Theft Service Customer Gets 27 Months

  1. Steve

    Shouldn’t these people be charged with R.I.C.O. and given stiffer sentences like the people involved with carding forums.

  2. TheOreganoRouter.onion.it

    You where not clear enough in your above article, was Theoc’s s twenty seven month sentence either state of federal time?

    1. BrianKrebs Post author

      Seriously? Federal investigators…..It’s a federal investigation. Links to a Justice Department press release. C’mon, you can reason it out, I know you can!

      1. TheOreganoRouter.onion.it

        Seriously?, the twenty seven month is kind of a light sentence for a federal crime. :–)

        Especially when it involves identity theft of more then one hundred people. Understand my reasoning.

        1. Jim

          pretty clear to me if the secret service is involved it’s Federal. No State is going to lure someone to Guam and arrest them.

          1. TheOreganoRouter.onion.it

            It says Hieu Minh Ngo was lured to Guam, not the guy in question.

        2. Lucem Intueri

          Seriously? You are going to doubt what Brian posted because you think that sentence was indicative of a sentence passed down by anyone other than a Federal Prosecutor? Does this mean that the next time my High School Baseball Team winds a game 26 to 3 it was really the football team???

          1. TheOreganoRouter.onion.it

            I don’t doubt Brian only think he should have wrote it as “Derric Theoc, 36, pleaded guilty to federal charges to attempting to purchase Social Security”

            In the next paragraph it states “Ngo was arrested in 2012 by U.S. Secret Service agents” which clearly means it’s federal. Their should be better continuity between the two people as far as the charges go so it doesn’t leave the reader to question the facts.

  3. eric

    It’s doubtful RICO would work for the individuals, as I suspect they made a deal in order to get access to the customer records and site data. As for Experian, they agave deep pockets and are intertwined with the NSA and other government agencies. I suspect their continued cooperation with thousands of other investigations would afford them plenty of insulation from this. Such a shame.

    1. The Phisher King

      Got any evidence to support your conspiracy theory?
      Or are you just another spreader of FUD?

  4. Andy

    Brian, is 27 months a typical sentence for this type of crime? I supposed a much longer sentence for the number of [potential] people and amount of [potential] money associated with this activity.

    1. BrianKrebs Post author

      It can go either way. If the defendant has no prior convictions and is cooperative, he can get a far reduced sentence than what the guidelines call for. But I wasn’t privy to any of those discussions, so I really don’t have a basis to answer your question, sorry.

  5. LessThanObvious

    It’s very strange to me that we have this kind of vulnerability with the credit bureaus. I don’t want them sharing my info with anyone for any reason. It isn’t reasonable this day and age for these credit agencies to share PII because the risk is too great and they can’t be trusted not to put their own commercial interests ahead of the consumer. Please advise if there is a way to generally opt-out, not just from direct marketing, but to limit all ability for them to share your info.

    1. Pavlo

      I have credit freeze on all my credit accounts, I wonder if that stops all activity, though I’m starting to think that the “investigators” still have access to my data.

  6. Stuart

    To a layperson it seems like this is a lot worse for the average joe than a credit card breach. Why is this so under reported by everyone else?!? Do people not understand selling your info is way worse than selling the Visa card you use???

    1. BrianKrebs Post author

      +1

      I’ve been completely stunned by how little the media seems to care about this. The same response roughly after I published a story showing that the guys running the biggest identity theft service on the internet were running a small, custom botnet that consisted primarily of bots inside servers at the largest data brokers on the planet, including Dun & Bradstreet, Kroll and Lexis/Nexis.

      http://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/

      Fundamentally, most people understand a credit card breach, since most people have a credit card. But I’d wager than half the population of America has never heard of Experian, or if they have, they couldn’t tell you where or how or what the company actually does. Same goes for those other companies I mentioned.

      1. Andrew

        I seem to recall that California only got religion on data privacy after there was a data loss from the state government that just happened contain the personal information of the state legislature.

        1. Andrew

          Here’s the incident, was at the California’s Stephen P. Teale Data Center in 2002, even the then Gov. Gray’s information was in the 265k employ data taken. Lead to California’s SB1386/AB700 breach notification law. Take away – Make it personal and the light bulb goes on a lot faster.

          http://www.computerworld.com/article/2576322/data-privacy/recent-breaches-raise-specter-of-liability-risks.html

          http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_cfa_20020823_220958_asm_floor.html

          http://media.mofo.com/docs/PDF/ELC1003.pdf

      2. Steve Lembark

        Having worked for Experian, I can tell you that even they don’t fully know what they do.

      3. meh

        Keeping the public in the dark is the only way they can operate. If most people did know how crooked Experian and the other bureaus are they would do a real life ‘purge’ in full daylight.

      4. E Camner

        Brian…Not only stunned but extremely dismayed that nobody “out there” knows, or probably would not care, about Experian. Whenever I see one of their TV ads, it consumes me with anger. The same with the new Cox ads relating to your recent report on the Cox breach. These issues cause me much frustration

      5. NotMe

        It really sad that most people don;t see what these folks have on them. Why are they allowed to use my social security number as an indexed data item? Why do we allow them to collect and store reams of info on us that we can’t easily get for update, it takes months to sort out an error in their records.
        I used to work for a “feeder” company that collects debtor records at the county level, they buy this public record stuff and resell it as fact. Credit reporting is such a scam, and now you are screwed by the insurance companies who rate your risk based on the crappy credit reports. We need some more light shed on these shady operators. Thanks for trying to get out the message Brian!

        1. meh

          You guys are ignoring the obvious.. The public is in the dark because of an active campaign and social framing they sow on purpose to keep the public in the dark. They take active steps to criticize and shut down anything negative about their business practices and to use shadow methods to further integrate their widely known to be flawed data as fact. They work hard on commercials to show them in a godly light as core pillars of the financial system and smear anybody who refuses to play their stacked game as weird and possibly dangerous.

      6. The Human Defense

        Brian,
        I would agree with you that most people do not understand these services. This is why I started my company, was to help educate people about this type of crime. However, I throw your site out there all the time to folks so they can understand more about cyber crime and where our data is sold.
        Keep on truckin, your making a difference every day with your information. It might feel like your spitting in the wind, but I think that wind is changing directions, slowly but its changing.

  7. Anne

    One of the things Experian apparently does is supply confirmation of identity to the Social Security Administration.

    Excerpt from an email sent to me by SSA after I opened an online account :

    “Social Security may use an identity verification service provided by Experian to help verify your identity and protect your privacy when you register to do business with us online. When we make a verification request to establish your account, Experian may use information from your credit report to help verify your identity. As a result, you may see an entry called a “soft inquiry” on your Experian credit report. This will show an inquiry by the Social Security Administration with our address and the date of the request. Soft inquiries do not affect your credit score, and you do not incur any charges related to them. Soft inquiries are displayed in the version of the credit profile viewable only to consumers and are not reported to lenders. The soft inquiry will not appear on your credit report from Equifax or TransUnion, and will generally be removed from your Experian credit report after 25 months. Once you have registered for an online account, you will not generate additional soft inquiries by logging in to access our services.”

    After reading your postings on Experian, I am far from thrilled at being vetted by them.

    1. NotMe

      Yup 25 months, that is how it takes for a correction as well.
      Good luck getting credit if they decide to screw you over.

  8. roger lodger

    Before the interwebs became big, an IRS employee stole my identity. That’s why I think NSA employees are stealing identities — why would they be any cleaner than IRS employees, specially as they know better how to hide their own activity than IRS employees do?

    1. The Phisher King

      The only NSA employee I am aware of being outed for identity theft is Edward Snowden, who socially-engineered other NSA staffers to give him their credentials.
      Do you have real evidence of NSA employees stealing IDs as part of their job? If so, please share it.

      1. thinkr

        SE has nothing to do with ID theft, he didn’t benefit from anyone’s loss. Its the US govt. that stole his identity and ruined his life for shedding light on a topic that concerns all

  9. Chris Thomas

    but the victim of ID theft is on his/her own. It seems universal that victims of slovenliness by custodians of private personal data suffer financial loss and worse. It does nothing for a victim of the consequences of identity theft that criminal perpetrators are occasionally prosecuted and punished. The consequences live on. No criminal justice system gives a damn.

    Those victims lumbered with bogus mobile phone contracts are still pursued for the debts and credit rating black marks and the stigma of fraud imposed by companies which failed to perform due diligence by setting up the bogus contracts in the first place, thus aiding and abetting the crimes of the ID thieves.

    These companies are the effective accomplices of ID thieves.

  10. Bud Costello

    Back in March 2011 there was an article on how much account details/ credit card numbers etc were worth on the underground market – is it time for an update? Have prices changed significantly over time, and so attracting more attention?
    Is there a minimum level of details needed before they can be bundled for sale?
    I’m particularly thinking of the “Charity Muggers” who pester people for bank details for regular payments to support various causes – mostly students, could these be supplementing their income on the black markets?

  11. Mike

    Our only safety appears to be in numbers: there are so many victims from which to choose. 🙁

  12. Pete C

    Interesting and informative Brian.
    And, to think…Experian is also the credit bureau being used by Target Corporation to provide the free, one-year, of credit monitoring to customers affected by the massive credit/debit card breach which occurred there.

  13. Nathan

    the date for this post Brian is wrong, its listed as Oct 14th.

    1. Andrew

      Actually Oct 14 means October 2014 here, with the 01 above that wording being the day of the month. October 1st, 2014

    2. Robert.Walter

      I don’t think the confusion over the posting date stamps will end until the format changes… May I respectfully suggest:

      2014 (small text)
      Sept (medium text)
      30 (large text)

      This should pretty much fix it.

      1. BeefSquatch

        As this website is read by thousands of people every day, I don’t think a format change is really warranted because a handful of people can’t seem to figure out what everyone else sees as pretty straight forward.

    3. NotMe

      Don’t fold on the date format.
      It’s always dd/mm/yy everywhere else.

      Expand their horizons and let them see beyond their noses.

      1. BrianKrebs Post author

        I have no intention of changing it. It’s too fun getting emails from self-righteous readers who tell me date is all wrong and that I’m a moron, etc.

        1. Blanche Dubois

          Uh oh, my mirth secret has apparently been breached, and then shared without my permission…

          I read Krebs first to stay current on rampant data breaches; then the Comments for a mirth-filled review of current US deductive reasoning skill levels, homo sapiens conspiracy analysis trends, then writing skills devoid of SpellCheck by “techies/engineers”, and lastly, to monitor US “functional illiteracy”, last reported to be at 18% (and holding steady since source Barbara Bush announced it).

          Ain’t it a great country or what?

          With Krebs, truly my Made in China From-Stolen-Designs cup runneth over…

      2. BrianKrebs Post author

        Also I should note the there is a full and proper date and time stamp at the conclusion of every article, albeit in admittedly small font.

      3. unknown.guest

        You mean those that do not follow international standard of YYYY-MM-DD like in ISO-8601

          1. meh

            I meant Unix Time based off UTC..

            Should gain a few critics 🙂

  14. Robert.Walter

    A whole lot more deterrence would be accomplished in this case if execs and managers from both Experian and Court Ventures were serving similar sentences as well as the petty criminal.

  15. Steve Lembark

    Want to change the way Experian, TransUnion, et al, do business?
    Simple: Do what the europeans did and return ownership of individuals’ data to themselves. The courts will set a value on the lost data, companies will get insurance to cover the costs of data losses, and insurers will ride herd on the rest of them.

    Experian has deep pockets, but if their insurer tells them it’ll be an add’l $20M for their data loss liability policy next year due to audited defenceincys in their security you will see the quality of security go up quite a bit; ditto the idiots who lost Kreb’s login information and banks without dual-factor login. Once sloppy security comes out of their bottom line, not the customers’, there will finally have a reason fix things.

    1. thinkr

      I think we all know that’s not gonna happen without a major fight from them. In Europe we don’t give companies that much lobbying power

  16. E Camaner

    Brian…How about a book (maybe a short one) on what’s happening with Experian and the other credit bureaus. You’ve made so many great reports on them. Maybe a book would be widely read enough to sound the alarm.

  17. thinkr

    Brian, do you have any idea how he was nabbed? I imagine the thai guy’s website was booby trapped after the feds got him, but it’s probably something else, as this guy made the news pretty fast

  18. CardMe

    News flash. You don’t own the data. It isn’t even real. It’s not tangible. Its an abstract representation of your position in society. You were issued with this data as part of a deal. Not just with your credit providers, but with society as a hole. When events such as these transpire, all of a sudden it seems to be a pretty crap deal doesn’t it; but the rest of the time, it sure is a great feeling to satisfy the need for immediate gratification that only a credit line can sate. Mr Krebs, you do a decent job on reporting on the scene; but the majority of your fans sure know how to whine — I yearn for intelligent discourse following some of these stories. +1 on the ‘Like’ button concept.

  19. Maryanne

    Thanks to my father who stated to me regarding this website, this web site is truly awesome.

  20. Lou Johnson

    Just for the record, our “beloved” presidente’ is using a bogus SSN. He’s using the number of a man who was born in CT. in 1893 (and most likely dead).
    This fact is “all over” this here web.
    The Social Security Administration does not recycle numbers.
    As I understand it, the State Dept, FBI, and CIA is aware of this fact also.

Comments are closed.