In the wake of long-overdue media attention to revelations that a business unit of credit bureau Experian sold consumer personal data directly to an online service that catered to identity thieves, Experian is rightfully trying to explain its side of the story by releasing a series of talking points. This blog post is an attempt to add more context and fact-checking to those talking points.
Experian has posted several articles on its Web properties that lament the existence of “inaccurate information about Experian circulating in news outlets and other Web sites.”
“It’s no surprise that cybercrime and data breaches are hot topics for media and bloggers these days,” wrote Gerry Tschopp, senior vice president of public affairs at Experian. “Unfortunately, because of all the attention paid to these topics, we’ve seen some inaccurate information about Experian circulating in news outlets and other Web sites. I want to take a moment to clarify the facts and events.”
I’ve read this clarification closely, and it seems that Experian’s latest talking points deserve some clarification and fact-checking of their own. Below are Experian’s assertions of the facts (in bold), followed by some supplemental information glossed over by said statements of fact.
-No Experian database was accessed. The data in question have at all relevant times been owned and maintained, not by Experian, but by a company called US Info Search.
As all of my stories on this incident have explicitly stated, the government has said the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search. US Info Search had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures’ data, and vice versa. Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including the proprietor of the identity theft service).
For its part, US Info Search says Experian’s explanation of the events is based on false statements and misrepresentations, and that the proprietor of the ID theft service paid Experian for his access using large cash payments sent to Experian via wire from Singapore.
“Experian provided access to records via a gateway that used multiple data sources and the suspect never had access to our service,” US Info Search CEO Marc Martin said in a written statement. “We, like many others, provide data to Experian, who in turn sold data to customers they approved and monitored. Our agreement with Court Ventures and subsequently Experian was to provide information that was being used for identity verification and fraud prevention.
-Further, Experian’s only involvement was that it purchased the assets of a company, Court Ventures, that provided access to US Info Search’s data to Court Ventures’ customers. Under that contract, customers of Court Ventures, including the criminal in this case, could access US Info Search’s data. This was not an Experian database, and specifically, this was not a credit database.
Experian has a duty to conduct “due diligence” on companies it wishes to acquire, because it knows that in purchasing a company it will acquire all of the company’s assets — including whatever debts, liabilities or poor decisions the previous owners may have incurred that end up creating problems down the road. Experian wants to blame everyone else, but by its own admission, Experian didn’t conduct proper due diligence on Court Ventures before acquiring the company. Addressing a U.S. Senate committee last December, Experian’s senior vice president of government policy, Tony Hadley, allowed that “during the due diligence process, we didn’t have total access to all the information we needed in order to completely vet that, and by the time we learned of the malfeasance nine months had expired, and the Secret Service came to us and told us of the incident. We were a victim, and scammed by this person.”
Also, if it wasn’t clear by now, Experian’s PR mantra on this crisis has been that “no Experian database was accessed,” in this fraud. But this mantra draws attention away from the real victim: Consumers whose information was sold by Experian’s company directly to an identity theft service. A critical question to ask to this line of thinking is: Why does it matter whose database it is, if it contains personal info and Experian profited from its sale?
-Court Ventures was selling the data in question to the criminal for over a year before Experian acquired the assets of Court Ventures.
True. Which suggests there should have been plenty of evidence for Experian’s due diligence team to detect fraudulent activity of the sort generated by an identity theft service using its network. Perhaps just as importantly, Court Ventures continued to sell consumer records to the ID theft service for almost 10 months after Experian acquired the company.
-Furthermore, any implication that there was a breach of 200 million records is entirely false and misleading – while the size of the database may be 200 million, that does not mean the total number of records were accessed.
This publication has never stated that there was a breach of 200 million records. But it is true that KrebsOnSecurity.com was the first to report on the information contained in government statements made during the guilty plea hearing of Hieu Minh Ngo — the man who admitted to running the identity theft service. In those statements, prosecutors for the U.S. Justice Department stated that Ngo — by virtue of fooling Court Ventures into thinking he was a private investigator — had access to approximately 200 million consumer records. As I have stated previously, however, Ngo had to pay for the records he accessed, and he was running a service that charged customers for each records search they ran.
A transcript (PDF) of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity shows that his ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data on more than three million Americans.
Lastly, Experian discontinued the sales of this data immediately upon learning of the problem and worked closely with law enforcement to bring this criminal to justice, (the perpetrator has recently pleaded guilty). We are treating the matter seriously and have filed a lawsuit against the former owners of Court Ventures for permitting the sale of US Info Search’s data to Ngo (the perpetrator), and intend to hold those individuals fully responsible for their conduct in establishing access to the data for an identity thief unbeknownst to Experian.
If it really was US Info Search — not Court Ventures — whose database was accessed in this scheme, why is Experian suing Court Ventures? [Update, 9:03 P.M.: Databreaches.net has a good explanation to this question, which happens to support previous research of mine on why this breach could be far bigger than 3 million Americans).
Here’s a far more important question that Experian needs to answer: What has the company done to make things right with the Americans whose identities were stolen because of this whole fiasco?
Regarding those victims, Experian’s Mr. Hadley stated under oath in front of a U.S. Senate committee that “we know who they are, and we’re going to make sure they’re protected.” But, incredibly, in the very next breath Hadley seemed to suggest that none of the millions of consumers whose data was stolen by Ngo and his identity theft service had experienced any danger of identity theft or were even in need of Experian’s protection.
“There’s been no allegation that any harm has come, thankfully, in this scam,” Hadley told the committee.
For his part, US Info Search CEO Martin says it doesn’t appear that Experian is interested in notifying anyone.
“We have cooperated and assisted the authorities in their investigation and from the onset have urged Experian to make timely notifications,” Martin wrote in an email to KrebsOnSecurity. “In addition, Experian never notified us of the breach as required by state statute, and to date has not cooperated with our investigation, nor provided us with the queries the suspect ran.”
Experian has declined to answer questions about whether it has lifted a finger to help consumers impacted by this scheme, or to clarify its apparently conflicting statements about whether it believes anyone has been harmed by its (in)action. But then again, what exactly would the company do? Offer them a year’s worth of dubiously valuable credit monitoring services? Oh wait, that’s right, Experian practically invented the hugely profitable credit monitoring industry, whose services are negotiated and purchased en masse virtually every time there is a major consumer data breach. Br’er Rabbit would be so proud.
In summary, Experian wants you to remember that the consumer data sold to Ngo’s identity theft service didn’t come directly from its database, but merely from the database of a company it owns. But happily, there is no proof that any of Ngo’s customers — who collectively paid Experian $1.9 million to access the data — actually harmed any consumers.
Readers who find all of this a bit hard to swallow can be forgiven: After all, this version of the facts comes from a company that has been granted a legal right to sell your personal data without your consent (opting out generally requires you to cut through a bunch of red tape and to pay them a fee on top of it). This from a company that is quibbling over which of its business units profited from the sale of consumer records to an identity theft service.