An identity theft service that sold Social Security and drivers license numbers — as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity.
In November 2011, this publication ran a story about an underground service called Superget.info, a fraudster-friendly site that marketed the ability to look up full Social Security numbers, birthdays, drivers license records and financial information on millions of Americans. Registration was free, and accounts were funded via WebMoney and other virtual currencies that are popular in the cybercriminal underground.
Each SSN search on Superget.info returned consumer records that were marked with a set of varying and mysterious two- and three-letter “sourceid:” identifiers, including “TH,” “MV,” and “NCO,” among others. I asked readers who may have a clue about the meaning or source of those abbreviations to contact me. In the weeks following that post, I heard from many readers who had guesses and ideas, but none who seemed to have conclusive information.
That changed in the past week. An individual who read a story about the operators of a similar ID theft service online having broken into the networks of LexisNexis and other major data brokers wrote to say that he’d gone back and reviewed my previous stories on this topic, and that he’d identified the source of the data being resold by Superget.info. The reader said the abbreviations matched data sets produced by Columbus, Ohio-based USInfoSearch.com.
Contacted about the reader’s claim, U.S. Info Search CEO Marc Martin said the data sold by the ID theft service was not obtained directly through his company, but rather via Court Ventures, a third-party company with which US Info Search had previously struck an information sharing agreement. Martin said that several years ago US Info Search and CourtVentures each agreed to grant the other company complete access to its stores of information on US consumers.
Founded in 2001, Court Ventures described itself as a firm that “aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.” Cached, historic copies of courtventures.com are available through archive.org.
THE ROLE OF EXPERIAN
In March 2012, Court Ventures was purchased by Costa Mesa, Calif.-based Experian, one of the three major consumer credit bureaus. According to Martin, the proprietors of Superget.info had gained access to Experian’s databases by posing as a U.S.-based private investigator. In reality, Martin said, the individuals apparently responsible for running Superget.info were based in Vietnam.
Martin said he first learned of the ID theft service after hearing from a U.S. Secret Service agent who called and said the law enforcement agency was investigating Experian and had obtained a grand jury subpoena against the company.
While the private investigator ruse may have gotten the fraudsters past Experian and/or CourtVentures’ screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, Martin said the Secret Service told him that the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.
“The issue in my mind was the fact that this went on for almost a year after Experian did their due diligence and purchased” Court Ventures, Martin said. “Why didn’t they question cash wires coming in every month? Experian portrays themselves as the databreach experts, and they sell identity theft protection services. How this could go on without them detecting it I don’t know. Our agreement with them was that our information was to be used for fraud prevention and ID verification, and was only to be sold to licensed and credentialed U.S. businesses, not to someone overseas.”
Experian declined multiple requests for an interview. But in a written statement provided to KrebsOnSecurity, Experian acknowledged the broad outlines of Martin’s story and said it had worked with the Secret Service to bring a Vietnamese national to justice in connection with the online ID theft service. Their statement is as follows:
“Experian acquired Court Ventures in March, 2012 because of its national public records database. After the acquisition, the US Secret Service notified Experian that Court Ventures had been and was continuing to resell data from US Info Search to a third party possibly engaged in illegal activity. Following notice by the US Secret Service, Experian discontinued reselling US Info Search data and worked closely and in full cooperation with law enforcement to bring Vietnamese national Hieu Minh Ngo, the alleged perpetrator, to justice. Experian’s credit files were not accessed. Because of the ongoing federal investigation, we are not free to say anything further at this time.”
WHO IS HIEU?
As I noted in my 2011 story, I’d found a scammer-friendly forum called talkgold.com where a user named “hieupc” was promoting superget.info as his site. Further searching showed that there was a fairly active Vietnamese hacker who used the nickname “hieupc;” That user appears to have gotten started defacing Web sites, even attacking the Web site of his former university in New Zealand after the school kicked him out for alleged credit card fraud. As it happens, the Web server address history for superget.info shows that it was hosted last year in Vietnam.
According an indictment unsealed last week by the U.S. District Court for the District of New Hampshire, Hieupc was none other than Hieu Minh Ngo, the 24-year-old Vietnamese individual named in Experian’s statement. According to court documents, Ngo resided in New Zealand and Vietnam, and operated superget.info and a similar ID theft service called findget.me, along with an unnamed co-conspirator, identified in the complaint only as John Doe One.
These services specialized in selling “fullz” or “fulls,” a slang term that cybercrooks use to describe a package of personally identifiable information that typically includes the following information: an individual’s name, address, Social Security number, date of birth, place of work, duration of work, state driver’s license number, mother’s maiden name, bank account number(s), bank routing number(s), email account(s) and other account passwords. Fulls are most commonly used to take over the identity of a person in order to engage in other fraud, such as taking out loans in the victim’s name or filing fraudulent tax refund requests with the IRS.
All told, findget.me and superget.info acquired or sold fullz information on more than a half million people, the government alleges.
The U.S. Secret Service declined to discuss the case, but a source familiar with the matter said undercover federal agents set up a phony business deal to lure Ngo out of Vietnam and into Guam, an unincorporated territory of the United States in the western Pacific Ocean. The source said that Ngo was arrested upon his arrival in Guam and transferred to New Hampshire. There he is currently facing 15 separate criminal charges, including conspiracy to commit identification fraud, aggravated identity theft, and wire fraud, among others.
If convicted on all counts, Ngo could be facing a very lengthy prison sentence. According to a statement on the Ngo case released Oct. 19 by the Justice Department and New Hampshire U.S. Attorney John P. Kacavas, the statutory maximum penalties are five years on the identity fraud and identity fraud conspiracy counts; two years each on the aggravated identity theft counts; 20 years on the wire fraud count and wire fraud conspiracy counts; 10 years on the substantive access device fraud count; and five years on the conspiracy to commit access device fraud count.
The unsealed complaint against Ngo is available here (PDF).
DATA BROKER BREAKDOWN
Meanwhile, it’s not clear what — if any — trouble Experian may face as a result of its involvement in the identity theft scheme. This incident bears some resemblance to a series of breaches at ChoicePoint, a data aggregator that acted as a private intelligence service to government and industry. Beginning in 2004, ChoicePoint suffered several breaches in which personal data on American citizens was accessed by crooks who’d used previously stolen identities to create apparently legitimate businesses seeking ChoicePoint accounts. ChoicePoint was later sued by the U.S. Federal Trade Commission, an action that produced a $10 million settlement — the largest in the agency’s history for a violation of federal privacy law.
In 2008, ChoicePoint was acquired by Reed Elsevier, the parent company of data aggregator LexisNexis. Last month, KrebsOnSecurity published an exclusive story showing how the proprietors of an identity theft service that competed with superget.info had hacked into the networks of LexisNexis, as well as data brokers Kroll and Dun & Bradstreet.
Avivah Litan, a financial fraud analyst with Gartner Inc., said this latest exposure raises serious questions about U.S. regulators’ capacity to monitor the due care of extremely sensitive consumer data, in accordance with the Fair Credit Reporting Act. Litan said that under 15 U.S.C. 1681b (PDF) credit reporting agencies have strict guidelines regarding to whom they may distribute consumer reports.
“It’s clear that criminal identity theft organizations are excluded from the list of users with ‘permissible purposes’,” Litan said. ” While the government shutdown certainly affected regulator business in October 2013, where have the regulators been for the last seven years when it comes to protecting sensitive consumer data? Have those efforts been shut down as well?”
There are signs that at least some federal regulators may be taking a harder look at the practices of the data broker industry. In an August 2013 keynote speech (PDF) at the Technology Policy Institute’s Aspen Forum, FTC Chairwoman Edith Ramirez said “the time has come for businesses to move their data collection and use practices out of the shadows and into the sunlight. In other words, with big data comes big responsibility. Firms that acquire and maintain large sets of consumer data must be responsible stewards of that information.”
Ramirez noted that the FTC can already bring actions under Section 5 of the FTC Act, and that it will continue to be active in punishing data brokers that fail to secure the information they collect. But she said stronger incentives to push firms to safeguard big data must be in place, and that the FTC has urged Congress to give the agency civil penalty authority against companies that fail to maintain reasonable security.
“Firms of all sorts are using consumer data in ways that may not just be contrary to consumers’ expectation, but could also be harmful to their interests,” Ramirez said. “This problem is perhaps seen most acutely with data brokers — companies that collect and aggregate consumer information from a wide array of sources to create detailed profiles of individuals. Their success depends on having more and better data than their rivals. The concern is that their mega-databases may contain highly sensitive information. The risk of improper disclosure of sensitive information is heightened because consumers know nothing about these companies and their practices are invisible to consumers.”
Last year, the FTC called on data brokers to give consumers access to their information through an easy-to-find, easy-to-use common portal. The agency also supported legislation to give consumers access to, and a right to dispute or suppress, data held by brokers. As it stands, Congress can’t even bring itself to pass a national data breach disclosure law, a relatively nonpartisan legislative effort that has enjoyed broad support from industry leaders for nearly a decade.
FTC Chairwoman Ramirez said the agency also issued subpoenas to nine data brokers, seeking information about the nature and sources of the consumer information the data brokers collect; how they use, maintain, and disseminate the information; and the extent to which they allow consumers to access and correct their information or opt out of having their personal information sold. The FTC said it expects to issue a report later this year with its findings.
One more. [facing a very prison sentence.] And it might be time to cancel my Experian credit monitoring service, although it helped me catch and refute a Verizon Wireless fraudster that would have cost me $1300 and 70 points of my credit history.
Since the problem started with the company EXPN bought, IF they stopped selling the data when they found out what was happening (as they claim to have done), what else do you expect them to do?
Of course, you have the right to stop doing business with them, I just don’t see what the point would be in this case.
This article’s headline is misleading.
I’m not sure why you seem to think this would prevent Experian from having your data; no matter what you do, they’ll have your data… These services are extortionate — one hand washes the other; they collect and aggregate the data, sell it, then make you pay, again, to keep an eye on it while having no control over it whatsoever. THIS is the definition of organized crime.
Good job, FBI.
Where do you see the FBI mentioned in this story at all? AFAIK, this was a Secret Service operation.
Knew it wasn’t an FBI case because there was no claim that it was “the biggest, most sophisticated and elaborate site” like every FBI press release. It’s like Donald Trump teaches them media relations at Quantico.
Brian,
As always great job, I had looked into this a little bit in my spare since I run across this type of dirtbag in my line of work and knew it had to be someone big, just like you said it is way to easy to get access to data that can be used for nefarious purposes.
Experian should be shutdown and selling of personal data by any company should be illegal. Period!!!
Thanks for that insightful contribution.
The problem isn’t the data per se, the problem is that this data is accepted to authenticate a user. Imagine if lending institutions were suddenly liable for identity fraud due to lack of diligence in identifying users – the industry would tighten right up!
Money don`t smell .
Plus a bit of fraud is always a good for a business in this case .Create fraud to fight fraud — interesting business plan i must agree .
Nice post. Very informative and helpful one… Thanks for sharing…..
What value would a credit “Freeze” by Experian have if even that can be compromised by something like this?
Regulation should not be limited to organizations that have large, static stores of data. It should also apply to organizations that have access to large volumes of streaming data; e.g. RTB exchanges & the organizations that sit in the auctions, or that partner with the exchange to enrich the data-stream.
I’ve been bitching about this sort of “service” that they offer to anyone for years. What gives a credit reporting agency the right to sell your credit worthiness to anyone?
Its moronic to think that I want more crap when my score goes up. Its bad enough that PII is floating out there, now they get to validate it via a simple sniff at the credit reporting agencies as well.
I dont know how simple it is to “buy” information, but lets say I was a miscreant, and I wanted to get general address information on people, say 25-35 with a credit score of 600-800. That just built me a list of some pretty reliable data.
If you get credit card or other advertisement in the mail unannounced, look at the back of the spam snail mail for a phrase that says you can opt out from these offers for credit by contacting the XXXXX credit agency.
Freaking retards.
Thanks, Brian. Very informative, as always. This kind of behavior goes beyond ordinary negligence, and verges on intentional conduct. Chase is in the midst of getting rocked $13 billion for rogue, greedy methodology like this; the AG definitely should be looking at Experian for similar treatment.
Experian: the company that requires you to call in order to cancel and which then offers you a discount not to.
This and similar companies should be required to provide access to any data they hold about you for free WITHOUT THAT HASSLE and to notify you if they have sold information about you.
Having to pay to access information about yourself to ensure it’s correct it just absurd.
Wow, great reporting Brian. I have to wonder whether Experian’s due diligence prior to the Court Ventures acquisition was sloppy or if there was no way for them to determine this.
I’ll also note that Experian is at least one of the companies doing the background check work for applications on healthcare.gov.
Realistically, the background check work you refer to would almost have to be done by some/all of the big CRAs. The concentration in that industry, similar to that of big accounting, is substantial. I’d argue, as I think you implicitly are, that this leads to market failure, since consumers have no real way to take their business elsewhere. The regulatory capture that contributes to the perpetuation of this regime is a whole other dimension, and cause of heartburn.
Brian, great investigative reporting. I hope the other two credit bureaus are taking a hard look at their data-sharing agreements.
Excellent work as always – thank you Brian
Now and days every company whither it’s employment of housing related is doing background checks on everyone because of what happened on 9/11. Before that most of those databases where used from the purpose of banks to be used in credit or loan decisions. The general public real didn’t have access to that information until the internet and then data broker companies realized the profitability of selling such information to big and small businesses to justify their fears with dealing with people in a employment or housing situation. Everyone is being vetted now and days for purposes like working in a fast food job that pays close to minimum wage . Thirty years ago, that didn’t happen and most of the personal identifiable information was kept secure only to be used where needed like by a bank or for getting a government job. So why should these data brokers be allowed to sell information to just anyone like a product being sold on Amazon.com ?
In my opinion, the Unites States has become a excessive ” background check” nation and the criminal underworld has exploited that fact.
Another great article !
Well said, TOR.
Great research and reporting. I knew these sites existed, but I didn’t know it could be THAT easy!
Please keep up your efforts. I look forward to being “educated”!
It’s worth mentioning that Experian obtained the government contract for verifying all data for Obamacare applicants.
Oh look, results from the “deregulation obsession” continue to roll in.
Thank you for another good article. Now where can I opt out of the credit bureaus?
I wonder if any of us will ever get notified by these data brokers……
When it comes to ordering your credit history from these bureaus, the law requires the person your running credit on to sign a disclosure agreement giving you permission to run his credit.
Even when you apply for a job, you have to give them permission in your application.
To just order credit history on someone is illegal without their permission and signature, and can affect their credit negatively. But there seems to be extreme lack of enforcements and oversights.
You can have all the laws you want written down on paper but if nobody follows them or enforces them, they are just toilet paper.
Experian is probably not even facing a penalty, so why should they even care? Whose to say this is not still going on with the other bureaus, or even still in Experian?
I’m curious what that FTC report will say about data brokers in general.
The fact they are outsourcing upsets me even more, even if it is private and not run and regulated by the Gov’t, at least this sensitive American data should be handled by Americans only.
On a side note though, Experian is also most known for those mysterious 19.99 charges on your credit card you didn’t approve, and imo the more corrupt out of the three, which isn’t saying much.
Great story BK, very important for people worried about their privacy. Just imagine all the info these credit card companies have…
Brian,
Did you see the email address in paragraph 39 of the complaint? Looks like Ngo worked with the data brokers you covered here:
http://krebsonsecurity.com/2013/10/data-broker-hackers-also-compromised-nw3c/
Mr. Krebs,
I wonder if there will be any repercussions of Experian’s peripheral involvement here, especially related to their involvement with the Healthcare.gov website and process. Your thoughts?
It seems like everyday on blog.scoredriven.com there is another story about a private company or university that has a data breach. I think that as time goes on, the government will be forced to penalize companies for poor data security practices.
In most cases, they only provide a year’s worth of credit monitoring to each person whose personal data was compromised, but what happens when that expires? My data is still out there, God knows where.
“k_sec” is right about the ‘deregulation obsession’- it’s forced me now to shell out an extra $8/month (from ScoreDriven) just to make sure no one screws with my credit since my university was hacked.
That scoredriven.com site looks pretty fishy, given the huge number of grammatical errors and otherwise poorly written material on their blog, in addition to all the hits in Google that seem to be copy/paste forum posts (astroturfing) or corporate social media; their image is highly manufactured (and not very carefully I might add). Sketchy identity protection site is sketchy. Could it be a trojan horse service that turns around and steals identities? Brian Krebs, what do I do!?
Wait. Regulators have been falling down on the job of protecting sensitive consumer data for the last SEVEN YEARS. So why bother even MENTIONING a government shutdown of 16 DAYS in the story?
Just couldn’t resist, could you?
mjkbk, who are you asking if they couldn’t resist? Not Mr. Krebs, I hope, since the shutdown reference was a quote from a Gartner analyst.
My, isn’t this ironic. Last week I got a letter from Adobe about their September 11-17 data breach, which included encrypted credit card data. As part of their praiseworthy effort to prevent any harm, they’ve, I quote, “engaged Experian to provide you with its ProtectMyID Alert membership.”
While this isn’t quite like hiring a fox to guard your hen house, it does seem a bit like hiring the fox’s friend to do that guarding.
For that breach, Adobe has a customer-alert help number and web page:
1-866-412-8699
http://www.Adobe.com/go/customer_alert
Signing up for Experian’s ProtecMyID service will almost certainly mean giving them information about your bank accounts and credit cards. If you’re rather not do that, you might want to contact Adobe (above) and suggest they offer an alternative fraud protection service.
Experian has lost the one thing that matters most in their field–their credibility. A company sworn to fight fraud has helped enable it.
It seems to me that a way to get companies that have or have access to large amount of information about people to be super careful would be to impose draconian penalties if they are careless, as Experian seems to have been. A fine of, say, ten years profits would do the trick, plus mandatory jail sentences for the people directly responsible for security.
It’s a double exploitation of the public, since many tech companies / multinationals send their revenue offshore to avoid taxes.
Data brokers / tech companies / multinationals exploit the public by:
1. buy, sell, trade id info without proper safeguards while saving $$ on security
2. burden regular Americans and small businesses to bear the tax expense of government investigation/prosecutions/legal initiatives while they send their revenue made off the backs of these Americans offshore to duck taxes.