March 10, 2014

In October 2013, KrebsOnSecurity published an exclusive story detailing how a Vietnamese man running an online identity theft service bought personal and financial records on Americans directly from a company owned by Experian, one of the three major U.S. credit bureaus. Today’s story looks deeper at the damage wrought in this colossal misstep by one of the nation’s largest data brokers.

Vietnamese national Hieu Minh Ngo pleaded guilty last week to running the ID theft service Superget.info.

Vietnamese national Hieu Minh Ngo pleaded guilty last week to running the ID theft service Superget.info.

Last week, Hieu Minh Ngo, a 24-year-old Vietnamese national, pleaded guilty to running an identity theft service out of his home in Vietnam. Ngo was arrested last year in Guam by U.S. Secret Service agents after he was lured into visiting the U.S. territory to consummate a business deal with a man he believed could deliver huge volumes of consumers’ personal and financial data for resale.

But according to prosecutors, Ngo had already struck deals with one of the world’s biggest data brokers: Experian. Court records just released last week show that Ngo tricked an Experian subsidiary into giving him direct access to personal and financial data on more than 200 million Americans. 

HIEU KNOWS YOUR SECRETS?

As I reported last year, the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search. US Info Search had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures’ data, and vice versa.

Posing as a private investigator operating out of Singapore, Ngo contracted with Court Ventures, paying for his access to consumer records via regular cash wire transfers from a bank in Singapore. Through that contract, Ngo was able to make available to his clients access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans.

Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including Mr. Ngo). For almost ten months after Experian completed that acquisition, Ngo continued siphoning consumer data and making his wire transfers.

Until last week, the government had shared few details about the scope and the size of the data breach, such as how many Americans may have been targeted by thieves using Ngo’s identity theft service.  According to a transcript of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity, Ngo’s ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data.

The government alleges that the service’s customers used the information for a variety of fraud schemes, including filing fraudulent tax returns on Americans, and opening new lines of credit and racking up huge bills in the names of unsuspecting victims. The transcript shows government investigators found that over an 18-month period ending Feb. 2013, Ngo’s customers made approximately 3.1 million queries on Americans.

“At this point the government does not know how many U.S. citizens’ [personally identifiable information] was compromised, although that information will be available in the near future,” U.S. Attorney Arnold H. Huftalen told Judge Paul J. Barbadoro in New Hampshire District Court earlier this month. “And we don’t know because the way the process worked was a bad actor could type in the name of an individual and a state…”

Huftalen’s explanation was interrupted by Judge Barbadoro, who told the courtroom he was late for another engagement. However, based on my own experience with Ngo’s service, I believe Mr. Huftalen was trying to explain that because of the way that Ngo set up his identity theft service — variously named “Superget.info” and “findget.me” — each customer query in fact returned multiple records.

The "sourceid" abbreviations pointed toward Court Ventures.

The “sourceid” abbreviations in Ngo’s Superget.info identity theft service pointed toward Court Ventures.

When I first became aware of Superget.info, I conducted a search on my own information, asking Ngo’s service to return any information on a Brian Krebs in Virginia. That query produced several pages of results, with each page containing at least ten different records full of personal data on multiple individuals — including my correct records. Revealing the more sensitive data for each record — including the date of birth and Social Security number — merely required clicking a link within each listing on the page; each click would result in a small amount being deducted from the customer’s balance.

The point is that each query on Ngo’s service almost always exposed multiple records. That means that if Ngo’s clients conducted 3.1 million individual queries, the sheer number of records exposed by Ngo’s service is likely to have been many times that number — potentially as many as 30 million records. 

EXPERIAN: ‘WE’RE GOING TO MAKE SURE THEY’RE PROTECTED’

Beyond acknowledging the broad outlines of the government’s claims against Ngo, Experian has refused to discuss the matter. “Due to an ongoing federal investigation, we have been asked not to comment beyond the information we have already shared to ensure nothing impedes the progress of the investigation,” Experian spokeswoman Susan Henson said in an emailed statement.

Experian's Tony Hadley, addressing the Senate Commerce Committee in Dec. 2013.

Experian’s Tony Hadley, addressing the Senate Commerce Committee in Dec. 2013.

The few public statements that Experian has made regarding the incident came in a hearing last December before the Senate Committee on Commerce, Science, & Transportation, which was examining the data broker industry.

In that hearing, Missouri Senator Claire McCaskill grilled Tony Hadley, Experian’s senior vice president of government affairs. Every other senator on the committee focused on Experian’s practice of profiling consumers, but McCaskill used her time to question Hadley specifically about the company’s role in Ngo’s ID theft service.

Hadley acknowledged that Experian failed to conduct the due diligence needed to detect Ngo’s activities prior to or anytime after acquiring Court Ventures. Indeed, Hadley said that Experian didn’t learn about Ngo’s activities until after being notified by the U.S. Secret Service.

“During the due diligence process, we didn’t have total access to all the information we needed in order to completely vet that, and by the time we learned of the malfeasance nine months had expired, and the Secret Service came to us and told us of the incident,” Hadley told McCaskill and other panel members. “We were a victim, and scammed by this person.”

The Missouri Democratic senator shot back: “Well I would say people who had all their identities stolen are the real victims.”

“And we know who they are, and we’re going to make sure they’re protected,” Hadley assured the panel. But incredibly, in the very next breath Hadley seemed to suggest that nobody had proven or alleged that any of the records its company sold to Ngo had resulted in harm to consumers.

“There’s been no allegation that any harm has come, thankfully, in this scam,” Hadley said.

I asked Experian to explain the apparent inconsistencies in Mr. Hadley’s statement, and to clarify whether the company had already begun to offer protection or service to anyone impacted by this scheme. So far, the company has declined to respond to those questions, citing the ongoing investigation.

But the evidence offered by the U.S. government strongly suggests that many people were injured by Experian’s lack of due diligence. Addressing the court at Ngo’s guilty plea hearing last week, U.S. Attorney Arnold H. Huftalen said the evidence was clear that Ngo’s customers purchased data from Experian’s firm with the intention of stealing the identities of consumers.

“The U.S. Secret Service has conducted investigations into many of his customers, all of whom have stated that they only obtained the information from Mr. Ngo to engage in criminal fraud,” Huftalen said. “The evidence would establish that at the time Mr. Ngo knew that he was providing the information for others to engage in fraud.”

It remains unclear whether Experian will ever be required to answer for its costly oversight. Mr. Ngo, on the other hand, is facing a lengthy prison sentence. He is charged with wire fraud, access device fraud and identity fraud. The maximum possible prison term for all three offenses combined is 45 years. Ngo may also be fined up to twice the gross gain resulting from his offenses, or twice the loss to consumers, whichever is greater. Ngo is slated to be sentenced on June 16th.

A full copy of the transcript from Ngo’s guilty plea proceeding is available here (PDF).


108 thoughts on “Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records

  1. Pcrea

    There appears to be NO severity of punishment for both the hacker & companies making this information available…no one cares …..the employees and others in between the SSN /data and the scum hacker either don’t want to be cognizant of the importance of this data or don’t care and leave as someone else’s problem…and good luck trying to unravel the horror when you are the mark….even then again no one cares….the burden is totally on the victim and it will take months if not years to fix…..ya think ?
    When I see the photo of this criminal I just want to strangle him

    1. Thomas

      Pcrea,
      To be perfectly clear, so that anything you hear from other companies with false promises, for their financial gaines, “you cannot protect yourself from Identity Theft”. In 2004 there were only 10 million American victims, whereas in the past 90 days there has been hundreds of millions identities stolen. Media companies simply monitor your credit, whereas the best company in the world, will restore you. Identity Theft is only 20% credit, which most focus on, but there are many other ways including criminal, prescription medicine, drivers license, social security, medical fraud. Can you imagine going to the doctor, having medicine written for you, but the computer says there is a conflict with other medicines? But your not taking other medicines? I give the CEO of Target credit for providing one year protection, but the truth is, once your identity is stolen, its sold over and over and over. I live worry free, from Identity Theft and I know when it happens to myself or my family, I will be restored. Problem solved, go to my website and learn for yourself.

      1. William Charles

        Target is legally required to give one year of free protection, they definitely aren’t doing so out of the goodness of their hearts.

    2. Jim

      I think your anger is misplaced. It should be at “experian”, after all they are the holder of the mans data empire. Even though they bought the small company, they never reviewed what the company was doing? Or what information was being sold? Or to Whom? That is the transgression of faith, they should be shut down.

  2. Philip

    I guess the good news is that Experian is uniquely positioned to provide “free lifetime credit monitoring” to all 200mio affected individuals. Even better, future Target-like breaches will have a much lower price tag for the negligent companies, because once everyone’s credit is already “monitored” anyway, there’s no need anymore to notify affected individuals. (/sarcasm).

  3. SMERSH

    Individuals should have internationally-recognized automatic copyright over all their personal data with reverse onus of proof – anyone has my data they must prove they have my explicit and informed permission. Criminal penalties apply.

    OK this is Dreamland. When pigs fly over frozen Hell, Experian et al will fall.

    1. DefendOurFree

      Actually, that is a good idea. Why can’t we copyright or trademark our identity? Is this possible? How?

    2. DefendOurFree

      Is it possible to copyright or trademark personal identifying information? Would this be an option?

  4. Lee Church

    Experian selling and churning the data reminds me of one of my Christmas-time favorite songs:

    Grandma got run over by an algo
    On her way to buy her retirement home
    She knew she had to fight off scammers
    but there were other things she should have known.

    Grandma had her data stolen by a website
    which sold her many times all on it’s own
    and loaded her in high speed algos,
    which front run her in bidding on her home.

    They told her not to worry about the hackers
    and her info was ‘pretty safe’ , it’s was OK
    Then they sold her data to the hedge funds
    who used it to front run her IRA.

    (to the tune, ‘grandma got run over by a reindeer’ of course)

    It is worth pointing out that 3 out of 4 stakeholders recently discussed securing consumer’s CC data. Let’s guess which of the four wasn’t represented, shall we?

    A- banks
    B- merchants
    C- credit card companies/processors
    D- consumers

    That, of course, is a trick question. The consumer isn’t a stakeholder. The consumer is the “bag holder”.

    Thanks to Brian and others, we see the onion peeled back a bit on the data for data sake business models. What I see is that in addition to the hackers/miscreants, who are in their own right a huge blight on the earth, we have folks who operate more or less legally selling data making the world a worse place. To grandma, it doesn’t matter if the hacker robs her, or wall street robs her, she is still robbed.

    Eventually, my hope is sanity prevails, before we repeat the financial crisis from Great Recession 2.0 (IT big data version).

    We should expect the public relations pieces about the wonders of big data, and how it helps society.. on three.. two.. one.. and roll…

  5. Cassandra

    It’s hard to really call this a “breach” when a company explicitly in the business of selling this data … sold this data.

    The real problem here is that anyone can be impersonated, and tax returns filed and lines of credit opened in their name, with just this information about them despite that information being effectively in the public domain.

    Even if Experian suddenly becomes 100% effective at magically never selling the data to anyone who will misuse it, bad actors can get the data the same way Experian gets it, or find it in yet other ways.

    The real fix is to make knowing lots of stuff ABOUT someone not sufficient to assume their legal identity and collect, or create debts or obligations, in their name. We need a new concept of “legal identity” that’s much more resistant to impersonation, while still avoiding the dangerous “national ID/mark of the beast” scenarios that carry a significant danger of totalitarian misuse by government.

    Anything short of that is just putting a Band-Aid on the symptoms while not addressing the root of the problem.

    1. Lee Church

      Very true.

      One can either take away the chips or devalue them.

      Your suggestion for changing the standards which enable entity theft so easy makes the casino chips (consumer information) the Experian folks are playing with less valuable, and less dangerous.

      My bet is that we need to have a really really big disaster, and then folks might think about getting started, someday.

  6. Lee Church

    re: part of Brian’s article where the maximum fine for the miscreant is twice the profit, or twice the cost to consumers.

    One does have to wonder how anyone can possibly calculate what the cost to Brian will be 45 years from now because of the breach, let alone any other consumer that we are not aware of yet.

    A few variables would include his health, financial condition, housing prices, etc. I suppose we can just use big data’s predictive genuis wonder models to tell us the answers. 🙂

    Just one question though, does the fine get indexed to the year the harm materializes (FV) or do we use present value (PV)?

    (sarcasm intended)

  7. AlphaCentauri

    Once the info is gone, you can’t get it back, and mine’s gone out the door with so many breaches it’s hard to imagine one more will make a difference.

    I agree with the poster that said the people who rely on stolen data — and who are patronizing data brokers like Experian — should eat any losses, not the consumers whose data has been stolen.

    The amount of inaccurate data does show the weakness in their business model, though. They save every scrap of data, accurate or not. We should be responding to their attempts to gather more data by feeding them information for imaginary people, to drive down the value of bulk data sales. Fill out those warranty cards, enter those contests, sign up for those loyalty cards, etc.

  8. laz

    here’s one for you, my “mildly stupid” attorney “lost”, my certified (embossed seal) birth certificate, and was reluctant to admit such for over 6 months … to this dat she is claiming that it can’t be found, but he will replace it at no cods to me if I just put my signature on another document which would authorize him to secure another another embossed (raised seal) Certificate of Birth… I’m beginning to believe that he has sold my information & documentsin violation of the attorney’s code of conduct and ethics!! Subsequently last Friday 3/7/14, Capital One’s, Fraud Division called me to ask if I had just made a $300 .00 purchase @ a Walgreens located in El Paso, Tx [an 8 hr @ 75 mph) drive away,] in the last several minutes … after ascertaining that I was no where near the site of use, they asked me to confirm the last several purchases put on the card prior to Friday … they were a week before, and 5 -6 hundred miles away … so much for any privacy … the three last confirmed purchases were at a local grocery chain, and two different gas & go type service stations, manned by , more than likely “undocumented ” workers as I am staying at a location approximately twenty minute drive from the US/Mx border … things are out of control, and those committing the crimes, hide behind the SCOTU applied cover of corporations as persons / sans corp officer, liability … a whole new can of nasty, stinking, rotting worms!! Beware, of what info and to whom you provide it … but one giant solar flare ,or an EMP will make everything electronic/cyber totally moot!! I would highly suggest that those reading this missive, read the book; “One Second After”!!

  9. Lynn S

    What came out of the 60 minutes story is that these big data companies are accumulating information using tracking software on your pc and your phone.
    Shown on the show is how they also have tracking software at the web servers, allowed by the big providers for money I am sure.
    They stated that one of the free phone app that turns your camera flash into a flashlight has tracking software in it.
    They mentioned the rights to do this are in the “privacy” section of the agreements we click we’ve read.
    Last night my computer wanted to update adobe flash. Sure enough I read the privacy section and it mentions tracking software.

  10. Ilya Yakovlev

    Experian (and other credit agencies) have treasure troves of data. The Googles of the world likewise continue to build valuable profiles on every internet user on the planet. If nothing changes, it is likely all of these will leak data at some point. Personally I am more concerned about the non-financial data leakages because they can help determine what’s inside my body health-wise and what I am thinking, and thus potentially limit my employment prospects, determine my health insurance costs, or perhaps even put someone in jail (particularly in totalitarian countries). There have got to be severe costs and other penalties to any company that does not properly secure financial or non-financial data.

  11. Blair Strater

    Services that let you purchase a person’s information aren’t exactly new, and there’s more than just a few of them.

    These breaches aren’t going to stop, that’s just how it is. Sites like these are just a symptom of a larger problem: Every American’s identity is protected by a 9 digit password that’s assigned at birth, can’t be changed, and is available to anybody with $20 and nefarious intentions.

    The social security number was *NOT* designed to be used for identification. And guess what? The more companies that use it as such, the less secure it becomes overall. But it wasn’t supposed to be secure! It had one purpose and one purpose only, but both it’s ubiquitous and unique properties made it very attractive as a “national ID number”.

    Given that people can be *jailed* for fraud commited with their special 9 digit number, I think it’s time that it’s scrapped entirely. Make it 100% illegal for anybody except the government to even ask for your social (for ANY reason), tack on lotsa fines for doing so, and then let the free market create a method for identifying and verifying your identity.

    All it takes is for someone to not like you enough to cough up $20-50 for your information, and then you’ll never get extended any kind of credit again. That includes car loans and mortgages. If you want it cleaned up, expect to pay tens of thousands of dollars, and countless hours, fighting it. It still won’t be clean.

    1. Henry

      When Social Security was first debated [in 1935] in the [Franklin D.] Roosevelt Administration, the president himself assured American citizens that a Social Security number would never be used for identification purposes.
      –VIN SUPRYNOWICZ

      FOR SOCIAL SECURITY PURPOSES ONLY — NOT FOR IDENTIFICATION.
      –THE SOCIAL SECURITY CARD (1936-1967)

      Hereafter any Federal department, establishment, or agency shall, whenever the head thereof finds it advisable to establish a new system of permanent account numbers pertaining to individual persons, utilize exclusively the Social Security Act account numbers…
      –EXECUTIVE ORDER 9397, FRANKLIN D. ROOSEVELT (1943)

      We have to accept that the Social Security number is the de facto national identifier and its use by government agencies at all levels and the private sector is too embedded to change.
      –JAMES G. HUSE JR, INSPECTOR GENERAL, SOCIAL SECURITY ADMINISTRATION (2001)

      What can I say? If you like your identity, you can keep it. Period.

  12. Karl T. Jones

    It’s reached a point where I just don’t care anymore. Steal my ID ahole, I hope you make millions off it. When/if I find out about it, I will file a police report ( for all the good it will do ), and that’s it. Let the “system” figure it out. I know my otherwise pristine credit record will be shot to hell, but so be it. I don’t need a mortgage (own house free and clear ), can pay cash for what I need, and I have insurance. I don’t need the stinking credit industries stinking credit.

    1. Lee Church

      With no mortgage on your house you are now a target for someone to take out a mortgage in your name, at any time in the future. It’s like a giant credit card limit. And one day you might find a lien on your house and it’s been foreclosed on, and you never took out a mortgage!

      So, while it appears safe, it’s not, and even mentioning it makes it more unsafe because it makes sifting through to find you easier. For example, IP address would give general area (IP address from aggregated from this website as one source), and then the property records search. Given your first name is likely somewhat right (last name suspect though) I would think the bad guys have a head start.

      My advice, for what it’s worth (what the heck do I know anyway): Check your property records yourself (usually can be done online these days). Consider a lien made out to yourself, wife etc. That would make a mortgage unlikely as the asset would not be able to back the loan. There are other ways to lock up your mortgage free property, and giving some thought to them is advised (I can’t go into them here as it would compromise the techniques).

      I agree with your sentiment though, making it someone else’s problem is an interesting idea. It addresses some of the moral hazard of all the data collection. Sadly we collectively move the risk around , but that doesn’t make it go away. You will end up paying for it through various economic mechanisms, one way or the other, just as you paid for the housing crisis and Great Recession.

      anyway, we are seeing the public relations of the big data coming out (as I suggested in a comment that this web site decided not to publish.. oh well).

      good luck.

  13. George Appiah

    I’m finding it difficult to understand what “crime” is committed by this Hieu Minh Ngo: is it purchasing a publicly available service that anyone can purchase, reselling it, posing as a private investigator, being a Vietnamese, or what?

    1. BrianKrebs Post author

      Really? Reselling peoples’ bank account, SSN, credit card info, you think that’s legal?

      1. Josh Kirschner

        Reselling people’s bank account/SSN/credit card data is legal. Experian and other companies do it all the time. What is not legal in theis case is to do so without authorization and with intentent to defraud.

        Unfortunately, reslling data incompetently, as in Experian’s case, is still legal.

        This document provides an interesting summary of how personal financial information is disseminated at the public and private level and what laws exist (or not) to protect us: http://www.gao.gov/new.items/d051016t.pdf

      2. Thomas

        Hey Brian, How do I upload a photo on your site?

          1. Thomas

            Good morning,
            I saw others with Photos and as a genuine person, I thought I could? I appreciate your sites awareness.
            Have a great day

          2. Peter B

            (Brian, I think a couple of spammers are trying to use your site to promote their businesses – Thomas is one, Mr.Clark Nard (sic) is a more obvious second. )

            My wife and I have had our identities stolen more than once since 2000, through no fault of our own.

            So far we’ve been able to avoid direct financial loss. Part of the problem arises from inaccurate information held privately by companies.

            The CRAs are the biggest culprit, constantly resurrecting out of date or inaccurate information (some of which are typos introduced by poor data entry), despite months and months spent chasing the false data and jumping through hoops to get the CRAs to delete it – no mean feat in itself.

            The most scary aspect is (or are) the horror stories of ID theft victims being sued by those defrauded by the ID thieves, even though law enforcement agrees that the target of the lawsuits are themselves victims.

            The SSA is apparently still very reluctant to allow a replacement SS number to be issued to the original victim, which would go some way to providing a little protection.

            It’s ironic that our presently straitened circumstances (including homelessness) have made us poor candidates for such theft – anyone who tried to obtain credit in our names would be rejected no matter how many false claims the applicant made…

  14. Fredric

    “We were a victim, and scammed by this person.”

    No, these corporate parasites are criminals who cared only about money, greed is what controls them, they aren’t victims. All they care about is selling people’s private information to anyone with the money to buy it, they don’t give one good damn about anything but money.

    1. Thomas

      Fredric, I appreciate your comment. Your not the only one, millions are going to be affected including children.

      While most think its only about credit, its also criminal, medical, social security, drivers license ect.

      Truth is, there is a solution. The number one company in the world for Identity Theft, a non media company, that protects countries, fortune 500 companies, will protect your family as well. (and not per social security, like the media types)

      By the way the number one company offers Comprehensive Restoration Services!

      I write this message, not to sell anyone, but to inform the masses of a solution. The criminals dont sleep and neither do the good guys!

      Click my name to go to the web site.

  15. Walter

    It’s amazing that Social Security uses Experian to verify your existence when attempting to signup for on-line access to your account. If your credit report status is frozen (as is mine) you cannot setup an on-line account and unless you contact Social Security by phone you will never know why. I wonder how many tax dollars the government spends to use Experian’s services.

  16. Mr.Clark Nard

    Dear sir/madam, We offer our Loans to our clients In ($)USD, (£)GBP, (€)Euro, India Rupees or Singapore Dollars($) and in the following categories. Personal Loan, Real Estate Loan, Business Loan, and others. Contact us Via
    Email:clarknardfinance69@gmail.com.sg

Comments are closed.