April 21, 2014

In December 2013, an executive from big-three credit reporting bureau Experian told Congress that the company was not aware of any consumers who had been harmed by an incident in which a business unit of Experian sold consumer records directly to an online identity theft service for nearly 10 months. This blog post examines the harm allegedly caused to consumers by just one of the 1,300 customers of that ID theft service — an Ohio man the government claims used the data to file fraudulent tax returns on dozens of Americans last year.

Defendant Lance Ealy.

Defendant Lance Ealy.

In February, I was contacted via Facebook by 28-year-old Lance Ealy from Dayton, Ohio. Mr. Ealy said he needed to speak with me about the article I wrote in October 2013 — Experian Sold Consumer Data to ID Theft Service. Ealy told me he’d been arrested by the U.S. Secret Service on Nov. 25, 2013 for allegedly using his email account to purchase Social Security numbers and other personal information from an online identity theft service run by guy named Hieu Minh Ngo.

“I really need to speak with u about this case because the US attorney assigned to this case and the Secret Service agent are trying to cover up Experian involvement in this case,” Ealy said, without elaborating on his theory about the alleged cover-up.

Ngo is a Vietnamese national who for several years ran an online identity theft service called Superget.info. Shortly after my 2011 initial story about his service, Ngo tauntingly renamed his site to findget.me. The Secret Service took him up on that challenge, and succeeded in luring him out of Vietnam into Guam, where he was arrested and brought to New Hampshire for trial. He pleaded guilty earlier this year to running the ID theft service, and the government has been working on rounding up his customers ever since.

Mr. Ealy appears to be one of several individuals currently battling charges of identity theft after allegedly buying data from Ngo’s service, which relied in part on data obtained through a company owned by Experian.

According to the complaint (PDF) against Ealy, government investigators obtained a search warrant for Ngo’s email account in March 2013. Going through that email, investigators found that a customer of Ngo’s who used the address lanceealy123@yahoo.com had already purchased from Ngo some 363 “fullz” — a term used in the underground to describe a package of everything one would need to steal someone’s identity, including their Social Security number, mother’s maiden name, birth date, address, phone number, email address, bank account information and passwords.

The Justice Department alleges that between Jan. 28, 2013 and Oct. 17, 2013, Ealy filed at least 150 fraudulent tax returns on Americans, instructing the IRS to send the refund money to prepaid credit card accounts he controlled. The government claims that about 50 of those bogus claims were made with Social Security numbers and other data obtained from Ngo’s ID theft service.

For his part, Mr. Ealy says he’s not guilty of the crimes the government is trying to pin on him, and that prosecutors have yet to turn over any evidence as required.

“They still failed to turn over any evidence or discovery,” Ealy said in a Facebook conversation. “When I get my discovery packet I will like you to publish a story about me in connection with the Vietnam individual and can you also see who else has a case in connection with Ngo. Also they keep trying to pressure me to cooperate with them but I don’t want to until they turn over all evidence in this case.”

Initially, Ealy was facing a single-count indictment (PDF) in connection with the investigation. But when Ealy declined to agree to a plea agreement with prosecutors, the government appears to have thrown the book at him — lodging a superseding, 42-count indictment (PDF). Ealy said he recently filed a motion to fire his attorney and is currently representing himself, although he says he is looking for another lawyer.

According to local Ohio news site whio.com, Ealy is the son of a candidate running for Ohio governor. WHIO says Lance Ealy’s father — Larry Ealy — is embroiled in an ongoing investigation of allegations that he and three others who passed nominating petitions for him turned in fraudulent signatures to local board of elections.

In addition to the tax fraud charges, the younger Ealy also is accused of opening bank accounts to electronically deposit the fraudulent tax returns. If convicted, he faces up to 20 years in prison and fines of up to $250,000.

Messages discovered in Ngo's inbox from lanceealy123@yahoo.com, which the government claims was used by the accused.

Messages discovered in Ngo’s inbox from lanceealy123@yahoo.com, which the government claims was used by the accused.


97 thoughts on “An Allegation of Harm

  1. Dave

    I’m confused. Is it your position that Ealy is a victim here, and that his identity was stolen, then used in illicit activities? Does he provide any evidence of this?

    1. Dave

      Or are you persuing this story purely from the innocent until proven guilty perspective?

      1. Benjamin

        One of the hallmarks of real journalism is to remain as unbiased as possible. Mr. Krebs is not a talking head on a 24 hour news network. He reports facts as he finds them. He is merely representing both sides of this story.

        1. BrianKrebs Post author

          I’m just stating the facts as we know them, which is that the government believes Ealy was a customer of Ngo (who ran the ID theft service). The government alleges Ealy filed fraudulent tax returns on more than 150 Americans. So, no, the government does not believe Ealy is a victim here.

          1. Dave

            What was the purpose of Ealy reaching out to you? It seems he told you something you already knew. Do you know how many more arrests were made? Are arrests being made just for the purchase of the information?

            1. Mike

              What was the purpose? Well, as it said in the article…

              –paste–
              “I really need to speak with u about this case because the US attorney assigned to this case and the Secret Service agent are trying to cover up Experian involvement in this case,”
              ———

              He contacted Krebs because of the cover-up of Experian’s involvement as the entity that sold data to the Ngo. Just read.

              1. Dave

                And yet, the linked article clearly details that experian was selling this data. Like I said, I’m not getting the twist here. Is there more to this. Was experian a co-conspirator in this fraud? Was it ignoring the obvious. How many other times has experian done this? How does experian vet current and future customers?

                Lastly, unless you’re Brian Kreb, the question was not directed to you. Did you take a call from Ealy?

                  1. Rick

                    I’m sure they’ll parse that statement to be “DIRECTLY harmed” since there were a couple of layers of players in between them and the victims.

                1. CooolAC

                  From previous articles on this, whats shocking is that these sales were right on the books! Even the Secret Service couldn’t believe how Experian could not have noticed.

            2. NickDanger

              (Re)Read the first paragraph of the post – the point of the article is to refute (or at least address) Experian’s claims that there’s no evidence of consumers having been harmed as a result of Experian selling their personal information to an ID theft service.

              The information on Ealy’s situation is evidence that consumers HAVE, in fact, been harmed by this situation – regardless of whether or not Ealy is telling the truth, it’s safe to say that SOMEONE filed the fraudulent returns that he’s been accused of.

          2. Unsigned

            Additionally, and potentially of more interest is the comment about forged ‘electronic’ ‘signatures’. immho.

            1. Unsigned

              guess i inferred ‘electronic’. apple doesn’t fall far from the tree?

  2. Terry

    Great story, and well presented.
    I note that you have not taken a position on this, but simply written it up as presented to you.
    Sometimes that is the best way to play it, and that is the case here. Time will tell where the truth lies.

    1. FARO

      Thank you Terry. I have fiddled around with that Message tab all the time and never realized on could send emails. Thanks again.

      1. Daniel

        It’s not quite that simple or useful.

        If you are not a ‘friend’ of the person you want to message, Facebook will allow you to send message but they will also tell you that because you are not a friend the message will go to the recipients ‘Other folder’
        However for a fee (R2.67 ~ 25c US) they will send it to the normal inbox.

        How useful is a message sent to the ‘other’ folder – not much.

        I am not sure where the ‘other’ folder might be or what notification – if any the recipient is given but as an example last week I found an access card for a lady with an unusual surname. So I use Facebook to try and contact 30 people living locally with the same surname – not one ever replied.

        1. Heron

          FB members may change our default account settings so we’ll be notified of new messages in our “Other” folder. Most people don’t do that, however.

          But there’s a way around it: Simply let the person you’re trying to contact that you’ve sent him/her a message, in a comment section in which (s)he’s participated. That’s what I do when I wish to communicate privately with someone I’ve first made contact with in the course of my regular FB participation.

          Everyone I’ve notified this way has taken the time to find my message, and gotten back to me.

  3. instarx

    I think the important part of this story is not whether Mr. Ealy is guilty, but the debunking of Experian’s Public Relation-speak statement that they were “not aware of any consumers being harmed”, which is not the same thing as “no consumers were harmed” (although it is the way Experian’s PR Dept. would like you to read it).

    That Mr. Ealy was arrested for identity theft of 363 consumer “fullz” shows that Mr. Ngo did distribute their identity data to others, consumer have been harmed, and Experian and it’s subsidiary share the blame.

  4. FARO

    With respect to Early’s father here is what is reported about the democratic primary. Larry Early is running his campaign from a jail cell. His campaign has no staff, funds or web site but does have a comment on Facebook.

    From the Dayton Daily News – 13 April

    “Early has never held political office. He is an unemployed laborer and divorced father of 10 who collects Social Security disability benefits. He has filed so many frivolous lawsuits that the Ohio Supreme Court declared him a vexatious litigator. When asked about his education, he said he studied law at the University of Dayton but also admits that it was “self-directed.”

    1. Infosec Pro

      Question, for both you and Brian: what does the allegations about his father have to do with Experian?

      1. BrianKrebs Post author

        I think it’s interesting because both men are in somewhat precarious positions legally (Ealy’s dad is reportedly running a campaign from a prison cell) and yet apparently quite optimistic about their chances.

  5. 2ndPlace

    I would think that someone claiming to be a victim (given the severity of the charges) would rush to cooperate with authorities rather than wait for implicating evidence to be shown. The latter seems like an egotistical stance against the authorities: I don’t think you can make a case against me, so I’m not cooperating.

    1. Neej

      Then you clearly have very little idea of how an adversarial system works.

  6. TheOreganoRouter.onion.it

    He will allow the story to published after he gets the governments discovery, that sounds rather suspicious if you ask me.

    The discovery information is right in his yahoo email account.

    1. Jason

      So what if I obtain all your personally identifying info and open up a Yahoo account that perfectly matches all your info, and start committing criminal communications with this account?

      I’m not saying that Early is or is not a victim here, but saying that one should think about “what if” and put themselves in this situation.

      Hypothetically, if someone has do this to me, do I need to tell the investigators all my dirty laundry to prove I’m innocent? No thanks, I think I’ll pass. It’s not my job, even when innocent, to assist the government in convicting people.

        1. TheOreganoRouter.onion.it

          You wrote in this particular article that “younger Ealy also is accused of opening bank accounts to electronically deposit the fraudulent tax returns” so my assumption is that this guy is a career criminal, who’s only goal in life is to defraud people. If a person is accused or found guilty in the past of the same type of crimes, then he or she shows that their past behaviors ( recidivism) will continue on, no matter the consequences.

          A lot of career criminals play the victim role looking for sympathy to manipulate. Don’t fall for this guys B.S.

  7. milton

    It seems to me that Experian is trying to distance themselves from all of this too. Never mind this Ealy guy, as you can plainly see the apple does not fall far from the tree. But Mr Krebs is it me or has there has been a trend of companies that have recently found out they have been hacked and their customers accounts along with their info, following a trickle information trend or first saying that it is not a big issue only to be uncovered to being a HUGE issue? Is there any type of laws being crafted to aid consumers? I mean at what point are companies held liable for the damage caused to ones credit? Then now the credit agencies are being found to be complicit also and they are ones that hold a treasure trove of information on everyone and on whose literal livelihoods depend?

  8. Paul

    I don’t know if anyone else picked up on this, but it is very possible this man was a victim of e-mail theft. It is very common as hacked email addresses and dump sites are worth a lot of money in the criminal underground. Someone smart enough to buy stolen data is unlikely to use their own email address, or anything that will directly relate them to the crime.

    Looks like the jury is all out. If his email account was siezed as evidence it is unlikely Ealy has access to it anymore. It is very likely he rarely used it in the first place if he is innocent, which was what probably made him a target to be used for this crime.

    Why involve mules when you can create virtually anyone into a mule to take the fall. This scares me a bit cause I know several friends and family that don’t consider there email that important to put a secure password on it.

    Disclaimer: all speculation, just adding some thoughts to consider, as this could be a very real problem.

    1. BrianKrebs Post author

      It’s certainly possible, but it seems unlikely given the other work that investigators did to check with his ISP who was using the account, which IP, etc. Read the PDF complaints linked in the article.

      1. Shawn

        Funny, the individual who typed up the PDF has a different email address listed in 11, that in 9 & 10.

  9. NotMe

    Well written article Brian, can’t wait to see if Mr. Ealy comes up with some hard data on the alleged cover-up.

  10. Dobo

    Lance Ealy, the apple doesn’t fall far from the tree, does it?

  11. -stephen

    Brian, both links in the 10th paragraph point to the same PDF file. I believe we’re missing the link to the 42-count indictment.

  12. Sirk

    Kind of ironic that the complaint contains the “fullz” on Mr. Ealy. Certainly enough to pull the kind of shenanigans of which he’s accused.

    The trouble with this is that if the guy really is innocent the Secret Service has given away his identity, which is a pretty central concept in the complaint….

    1. BrianKrebs Post author

      I’ve redacted the document. It’s unfortunate that some states still publish full social security numbers in court records, as appears to have been the case here.

      1. sirk

        A good call, even though this guy certainly seems like the kind of special individual who makes me spend my life building building ever higher walls and obsessing over the logs.

  13. JCitizen

    I’m skeptical about anything Experian has to say about this incident; it unfortunately looks like it is high time to add more regulation to the credit reporting industry – and quite frankly, there should be automatic personal ID protection without paying for it at all. If they are going to make money as a service like this they have a sober duty to protect peoples financial data, so they can just suck it up and pay the piper in my not so humble opinion!! >:(

  14. Donald J

    “In addition to the tax fraud charges, the younger Ealy also is accused of opening bank accounts to electronically deposit the fraudulent tax returns. If convicted, he faces up to 20 years in prison and fines of up to $250,000.”

    I think it strange that they initially offered him a plea deal if he “copped” to a single count… now this… yeah, something strange is going on, regardless of WHO is doing it.

    1. BrianKrebs Post author

      It’s pretty typical of the government. They tend not to present these cases unless they think they can win, but they really don’t like to go to trial, so they tend to play hardball if the accused doesn’t cooperate. Not saying that’s fair, just saying that’s the way I see it happening all the time.

      1. Donald J

        So… assuming what you say is the case, and Mr. Ealy made some government prosecutor mad by not taking the deal offered, that would lead me to believe that our government is not as hard on these individuals as they could\should be.

        My personal belief is if you have a case AND can prove it why not sent a message that this will not be tolerated, and I do understand that there could be other implications why such a deal could have been made, but this just seems like sour grapes on the side of the government because they were turned down.

        I’m thinking, if it were me and I did it and was offered that deal, I’m all over it, however, if I were not guilty I’d like to think that I would do what Mr. Ealy is doing, but one never knows.

        Thanks Brian.

        1. BrianKrebs Post author

          Donald,

          Part of the issue is that these cases are quite expensive for the government to prosecute, so they try to avoid prosecutions unless they are absolutely necessary. I don’t pretend to understand their calculus, but it does seem that the government is of a mind to secure some kind of justice for the guilty. That justice is seldom anywhere near the maximum that they could obtain through a guilty verdict at trial.

          1. News Junkie Ed

            The government’s ‘take the easy plea or we’ll make things very tough indeed’ paradigm likely results in innocents (or at least the difficult to prosecute) going for the plea, resulting in a perversion of the system where innocents plead rather than take their chances. That would be a tough position – plea to something you didn’t do or have your life turned upside down.
            Not that I think that’s what happened here.

  15. Old School

    “But when Ealy declined to agree to a plea agreement with prosecutors, the government appears to have thrown the book at him — lodging a superseding, 42-count indictment (PDF).” This sentence made my day! I never knew that just one sentence in a tech blog could create such unbridled joy.

  16. BrentSchmaltz

    It is not surprising to me that Experian will not suffer as a result of this breach. It is really hard to prove any damage was a result of a specific breach. A user would need resources to pursue any action. Experian could easily out gun a single user.

    @JCitizen, totally we have to recognize that in today’s world, a strong requirement for protection of identity theft is to monitor ones state.

    It seems that socially, we are just not prepared for this new world of electronic identities. Companies are collecting info and storing it, for example, last week at HomeDepot my drivers license info was collected for a refund. Users are sitting in a safe comfortable environment, their living room, giving personal info to companies and just assume all is good. It is proving not to be the case.

    1. JCitizen

      Yeah, I can recognize that – but that is Experian’s problem – we are the innocent party.

    2. Neej

      I have no idea of how this stuff works. That said, wouldn’t the situation be suitable for a class action against Experian?

  17. Clint Davis

    I think the real crime is Mr. Ealy’s haircut.

  18. meh

    I would hope the secret service wouldn’t move on this without some kind of financial paper trail pointing that he was somehow benefitted financially from this fraud – simply finding an email address doesn’t necessarily mean he was involved but finding a couple missing million dollars worth of loot would.

    1. BrianKrebs Post author

      Meh — Read the PDF complaints linked in the article. There is a lot of evidence in there.

      1. sirk

        Certainly enough to steal Mr. Ealy’s identity. Though I’m not sure I’d personally want to try to open a card in his name.

      2. meh

        They do have some loosely linked in his name but I’m talking more like bank photos of him opening accounts or depositing funds.. Or crazy expensive boats, cars, or things he couldn’t explain how he managed to afford.

      3. Louie

        Agreed, after reading the nine page complaint, the alleged victim should definitely find a new attorney and consider cooperating – personally the evidence appears overwhelming.

        1. Tiktok

          I speculate that the reason he fired his last lawyer is that the lawyer recommended the plea deal that Ealy didn’t like. Given what I’ve seen in the indictment, notwithstanding the “innocent till proven guilty” basis for our laws, I’m guessing that he will have a hard time finding a new [competent] attorney to advise him differently. Not because he is guilty; I don’t know that. But because, given the evidence against him, he is likely to be found guilty unless he can show some pretty good contrary evidence to what the government has gathered.

  19. Fitzroy Malin

    Has any individual (natural person) been truly harmed by the alleged activities of Mr Ealy?

    Financially, probably not. With much card fraud, the cardholder is not the victim, the acquiring bank, vendor or card issuer – roughly in that order – will incur the loss on the fraudulent transaction. Here, the individuals whose tax returns were fraudulently filed will not suffer loss. Any loss will be incurred by the US Treasury (and, admittedly, then by all US tax-payers, including the current ‘victims’).

    Physically, not at all (I assume).

    Mentally, well I guess there may be some claims of “trauma”. But I’d put many of these into the same category as the 47 passengers who claimed whiplash injuries after an empty bus crashed into a tree.

    The criminal tests for “harm” are well-established on both sides of The Pond (I’m in the UK), and many alleged incidents of “harm” fall far short of satisfying them.

    Turning now to Mr Ealy’s claim of innocence, I note a deal of similarity between the language and style used in the requests for “fullz” and that in the Facebook PM to Brian. Not enough to convict, but enough to wrinkle my nose and crease my brow as an investigator.

    TTFN – Fitz

    1. sirk

      Are you saying that if a no natural person is harmed then no crime is committed?

    2. BrianKrebs Post author

      Interesting. So, let’s play this out logically. I’m a consumer and I file my taxes, and the government says, oops, you’ve already done that! Sorry. Someone probably stole your identity. Here’s a nice big ole stack of new forms to fill out. And once we’ve gotten through all those in a few months, then you can file your real taxes, and sorry about any penalties you’ll incur from all this mess but we’ll make it right next year. Meanwhile, you might want to file police reports, reports with the FBI, the FTC, and consider contacting the credit bureaus.

      So I, as freaked out taxpayer at this point, go and purchase some credit monitoring service from a big company (Experian, maybe? Again, I’m just a taxpayer who got told by IRS that I’m a victim). Am I still not a victim? Oh yeah, not only did they steal my Social Security number, but the thieves obtained my banking information, username and password, access to my email account, etc. There’s a decent chance these clowns who filed returns on me with the IRS have also opened up new accounts in my name (that is certainly happening with many of the victims of tax fraud that I’m speaking with).

      It’s remarkable that anyone could make a statement that an individual in a situation like this would not be a “victim” or suffer “harm.” If a fraud incident causes me to spend lots of my time and money (time=money) trying to repair damage to my credit or good name, I would definitely consider that to be harm.

      1. meh

        And the person you referenced probably also votes republican for less oversight of these companies like Experian and looser federal and state laws to penalize these corporate titans from repercussions of this type of crime. They also tend to gut enforcement from the budgets meaning less chance of them ever tracking down who did it and even if they do get caught, full jails and no money to build new ones mean they will get released within weeks or months anyway. We are returning to a wild west type of culture where you are going to have to do your own police work and shoot the offenders, then dodge the law yourself forever since they don’t like competition.

      2. CooolAC

        Isn’t it also true, they might sit on this information for years before using it? Which is why many feel target should have given 5 years free identity monitoring and not just 1.

        1. timeless

          The University of Maryland seems to think so.

          I agree.

          I was going to say that you can’t change your SSN, but you can: http://www.socialsecurity.gov/pubs/EN-05-10064.pdf

          You can’t change your birthday.
          You can’t preemptively change your SSN.

          So, you remain at risk of Identity theft until it happens, and then you’re eligible for a blank slate. But then, you have to build a credit history from nothing…

    3. Parttimer

      Stealing an identity to file a false return can mess up the person’s life far more than a credit card. Your withholdings disappear, the IRS insists that you filed a return and they paid a refund. Then they process your legitimately filed return as an amendment and they want to be paid again.

      When this happened to my daughter, the service told her that it was theft and to report it to her local sheriff. Meanwhile they billed her for unpaid taxes. If you have ever read an IRS collection letter, it’s quite threatening.

      The service has since realized the scope of the problem. It’s measured in billions with a b. They are a little more understanding now, but their computer system has not yet become self-aware, unlike Skynet. You may face years of problems.

    4. instarx

      “Financially, probably not. With much card fraud, the cardholder is not the victim, the acquiring bank, vendor or card issuer – roughly in that order – will incur the loss on the fraudulent transaction”.

      If you had ever had your identity stolen you would know that this is very much not the case. It is financially devastating, effecting loans, interest rates, the ability to use credit and even the ability to get a job. Even though you may not have to actually pay bogus charges on a credit card, the financial effects last for years.

  20. what??

    Brian,
    I have a simple suggestion for IRS:
    Do not process a tax return that does not match
    the withheld (or estimated) tax paid for that year.

    I read the pdf, and it does not include withheld
    (or estimated) tax paid.

    Do you really think the IRS is so inept that they
    do not automatically check this?

    1. Parttimer

      The system will compare the claimed withholdings, estimated payments and extension payments and calculate a refund based on the payments that they have on file. They send a letter telling you that your refund has been adjusted based on their records.

      1. what??

        Parttimer,
        Sounds like you know how this works.
        Excuse my sarcasm, it is directed at IRS.
        You say the IRS does compare withholding,
        estimated tax and extension payments.
        OK, that is part 1 of the solution.
        Then they refund an adjusted amount based on
        their calculations!!!
        If it does not match, the IRS should flag that as
        a possible forged tax return.
        Then they should put that return in limbo until
        April 15, to see if another return is filed for the
        same SSN.
        Problem solved.
        How hard can that be?

        >The system will compare the claimed withholdings, >estimated payments and extension payments
        >and calculate a refund based on the payments that >they have on file. They send a letter telling you that >your refund has been adjusted based on their >records.

        1. Parttimer

          The problem the service has is keeping up with the constant change in the tax law. The idea of “paying” for each spending bill in Congress results in changes being spread all over the law and not just in tax legislation. The coordination of the tax law was blown up by the Argentine Firecracker leading to the resignation of Wilbur Mills who used to control all tax bills through Ways and Means. Changing the system is a painting a moving train problem. They have to update production systems with hard deadlines every year.

          Some of the best programmer around are the people that design the tax forms.

          1. what??

            Parttimer,
            You say that the IRS has other priorities that
            are more important than catching criminals
            forging tax returns.
            OK, I get that.
            But I believe the cost of forged tax returns is
            in the billions of dollars. That would seem to
            raise it to the top of the list. And fixing it is
            relatively trivial. Just delay refunds (until april 15)
            for those returns that have incorrect witholding or
            estimated tax amounts.
            What am I missing here?

    1. Old School

      Nice catch. Using: http://www.abc22now.com/shared/news/top-stories/stories/wkef_vid_19651.shtml

      “Ealy appeared Tuesday, April 16, 2014, before U.S. District Judge Michael Barrett, who released Ealy on electronic monitoring and set a trial date for August 18, 2014.
      If convicted, Ealy could face 37 years in prison and fines of about $500,000.”
      Brian had ” If convicted, he faces up to 20 years in prison and fines of up to $250,000.” Sorry Brian, but I prefer ABC’s 37 years plus $500,000. The fine, whatever size, will never be collected.

    2. Heron

      More like, IF they practice due dilligence. Maybe he won’t be able to find a competent one to represent him, at this point.

  21. Lisa

    @BrianKrebs
    Not sure where to place this question as it’s not specific to this particular story but would it be possible to adjust our post/comment notifications so we can be taken directly to a specific comment? I find that I occasionally would like to reply to a person who has replied to my question but I have to search through all the comments in order to do so. I should note that I access this blog exclusively on my iPhone.

  22. Jeremy

    I suppose it’s an interesting thought: are identity thieves defrauding consumers, or are they simply defrauding banks and the IRS and the government? Due to FDIC insurance, I could see carders and identity thieves somehow justifying their actions as stealing from “the man” and “big business” instead of from regular people, if it were the case that there is typically no financial loss for the victims in the long run.

    Not to say that what they’re doing would then be moral (just because a corporation is big doesn’t mean it’s right to steal from them), but I’d be curious to see how people doing this sort of thing actually view it ethically. I could also see Experian citing something like this as a defense of their statement of “no harm to CONSUMERS”.

  23. Rick

    I use Postfix as my perimeter email gateway, and one thing you can do with it is to have “recipient delimiters” which are throwaway parts of an email addesss (ex. foo-bar@example.com which will get delivered to foo@example.com) which allows granular tracking of who is leaking your email address since you can use a one-off address.

    The past week I’ve been seeing 419 spams addressed to foo-equifax (yes I know this article is about Experian) so they’ve had a leak of some sort, too, as they’re the only place that address could have come from.
    Things that make you go “hmmmm.”

    1. Lisa

      That’s interesting… @BrianKrebs, what’s your take on an Equifax leak?

        1. avshopping@yahoo.com

          Oops, Lisa, I read your post too quickly. Mea culpa.

        1. Lisa

          Thank you @Heron

          For one thing that particular article only addresses the stolen data of celebrities. I don’t pretend to know the poster calling himself “Rick” but I doubt he’s a celebrity…
          From the referenced link:http://www.bloomberg.com/news/2013-03-12/equifax-transunion-say-hackers-stole-celebrity-reports.html
          “Upon learning of the situation, we took immediate action to freeze the credit files of those victimized by this malicious attack in an effort to minimize impact to those individuals”
          I’m gonna guess the quick & seemingly proactive response was due to the high profile nature of the subjects. You, I & other lower profile people would be treated with such deference.

          So my original question remains with the addition of specifying that either this is a separate breach or that particular breach involved a much wider group of subjects than the article focused on.

          So…
          What say you @BrianKrebs?

            1. Lisa

              @BrianKrebs thank you for the reply but what do you mean you were “swatted”?

              Also, that they used a legally accessible credit report site is additionally disturbing. When I’ve accessed that site myself I recall needing to jump through hoops to confirm my own identity by confirming old addresses, vehicles owned & the like. Don’t they still require that for access, or is that info relatively easy for fraudsters to access as well? Which would open another can of worms; How the hell can we make a service like this secure at all while keeping it accessible by the average person?

  24. roflem

    Back to the topic: to me this initiative of the presumable scammer (innocent til proven), sounds like a lame attempt to divert his wrongdoings and shift attention to the security hole. Experian should be held responsible for selling the data to a scammer but it doesnt look like that is going to happen anytime.

  25. Jim C.

    Sounds like Ealy was himself scammed by Ngo and then tried to make himself out like a victim when the Secret Service and Justice Dept. nailed him, putting the blame on Ngo. As you said it so accurately, Brian, a lot of the damage is already done to the honest consumer and trying to repair it is often very time-consuming and expensive. One thing I would recommend to your readers is adding an “identity theft” rider to your home insurance policy so that you don’t have to fight these unfortunate situations alone.

  26. Serena

    This is intruiging! If someone else posed as Lance Ealy, the person used his email address for communications; the person used used his name, social security number, date of birth, and his current address to open bank accounts; and the person confirmed that Ealy’s facebook page was his. The investigators had two phone numbers for Ealy but apparently never made phone contact with him. And apparently the investigators never made face-to-face contact with him either. All communications were done electronically. My gut feeling is that Ealy did indeed commit these crimes, but if all the investigators have is electronic communications it seems Ealy might have a good defense. He needs a special kind of attorney though.

    Is it possible to open a bank account without providing some tangible documentation that you are who you say you are? When the person opened the bank accounts, did he/she provide a driver’s license?

Comments are closed.