21
Jul 15

Experian Hit With Class Action Over ID Theft Service

Big-three credit bureau Experian is the target of a class-action lawsuit just filed in California. The suit alleges that Experian negligently violated consumer protection laws when it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves.

experianThe lawsuit comes just days after a judge in New Hampshire handed down a 13-year jail sentence against Hieu Minh Ngo, a 25-year-old Vietnamese man who ran an ID theft service variously named Superget.info and findget.me.

Ngo admitted hacking into or otherwise illegally gaining access to databases belonging to some of the world’s largest data brokers, including a Court Ventures — a company that Experian acquired in 2012. He got access to some 200 million consumer records by posing as a private investigator based in the United States, and for nearly ten months after Experian acquired Court Ventures, Ngo continued paying for his customers’ data searches via cash wire transfers from a bank in Singapore.

Ngo’s service sold access to “fullz,” the slang term for packages of consumer data that could be used to commit identity theft in victims’ names. The government says Ngo made nearly $2 million from his scheme. According to the Justice Department, the IRS has confirmed that 13,673 U.S. citizens, whose stolen personal information was sold on Ngo’s websites, have been victimized through the filing of $65 million in fraudulent individual income tax returns.

The class action lawsuit, filed July 17, 2015 in the U.S. District Court for the Central District of California, seeks statutory damages for Experian’s alleged violations of, among other statutes, the Fair Credit Reporting Act (FCRA). The plaintiffs also want the court to force Experian to notify all consumers affected by Ngo’s service; to provide them free credit monitoring services; to disgorge all profits made from Ngo’s service; and to establish a fund (in an amount to be determined) to which victims can apply for reimbursement of the time and out-of-pocket expenses they incurred to remediate the identity theft and fraud caused by customers of Ngo’s ID theft service.

Experian's Tony Hadley, addressing the Senate Commerce Committee in Dec. 2013.

Experian’s Tony Hadley, addressing the Senate Commerce Committee in Dec. 2013.

“The Security Lapse notice, as well as the above referenced protections, also will fulfill the promise made to Congress by Tony Hadley, Experian’s Senior Vice President of Government Affairs and Public Policy, that ‘we know who they [the Security Lapse victims] are, and we’re going to make sure they’re protected’,” the complaint states. For more on Experian’s contradictory statements before Congress on this breach, see this March 2014 story.

Experian did not respond to requests for comment on the lawsuit, and it has yet to respond to the claims in court. A copy of the complaint is here (PDF). Incidentally, Experian and the former owner of Court Ventures are currently suing each other over which company is at fault for Ngo’s service.

For additional stories related to Ngo’s service and his hundreds of criminal customers, check out this series. For more on what you can do to avoid becoming an identity theft victim, please see this story.

Tags: , , , , , , , ,

47 comments

  1. Wouldn’t it be nice if the heads of these big companies could actually take responsibility for the messes created in their spheres of influence instead of trying to point the finger elsewhere? Just make things go right instead of obsessing over who made things go wrong.

    • Yeah, but this won’t happen. A court must stop this timewasting fingerpointing, otherwise they’ll do it for years.

      I even blame those management people for supporting most of the data breaches. Stupid feature requests to be completed in a very short range of time by as few programmers as possible. And harvesting data is a great thing for the marketing morons.

      Appreciate that case. Thanks Mr. Krebs!

    • Well, clearly it’s Court Ventures’ fault, and not Experian.
      10 months of draining … This could have been IBM, JPMC or anyone else, if it wasn’t Experian.

  2. I realize there is a lot I can do to prevent identity theft but when the credit bureaus give it away? How does one protect from that?

    And – Seriously – Paying for credit info on US citizens using cash wire transfers from a Singapore bank? How could they be so incompetent as to not detect that?

    • 1. You can (and should) freeze your credit with 4 major bureaus — then even if someone gets your information, they can’t do much with it — no lender will let someone apply for credit claiming to be you without being able to access your credit report (you can’t just bring in a copy, anyone can print out a document claiming to be a credit report — so the lender will ask for a report directly).

      2. Congress can pass strict liability laws with steep penalties for cases like this.

      3. You can lobby Congress to do 2. And you can lobby your friends to do all of these.

  3. If corporations are people as the SCOTUS had stated, this “person” (Experian) needs to rot in jail a long time.

    • Oh Bill ,you are spot on as the law is supposed to be tethered and consistant across the board . When the US Constitution was being thrashed togetther many of the wise fore fathers demanded that it be easy to understand even onto simplest men.Thanks

    • Oh Bill ,you are spot on as the law is supposed to be tethered and consistant across the board . When the US Constitution was being thrashed togetther many of the wise fore fathers demanded that it be easy to understand even onto simplest men.Thanks

    • I’ll really believe that corporations are people when one of those corporations get executed. Even in “bankruptcy” some corporations seem to live on and on shedding liabilities, shifting responsibility, while people keep being injured and dying in known-to-be-defective products.

      Paragraph 39 of the complaint cites FTC Report, Protecting Consumer Privacy in an Era of Rapid Change from March 2012. It is a 112 page pdf available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf and states that compromise of PII is expansive and harmful.

      Given this 2012 warning (and a lot more) how many other corporations are not protecting our information? Considering the 37M exposed (more than 10% of the US population) in just the recent Ashley Madison compromise, it would seem quite a few.

      Jonathan @nc3mobi

  4. Thank you, Brian for this article. I did go to the site and looked at the legal complaint.

    I have a question, though. I was informed recently that the IRS has detected an attempt to file a fraud tax return in my name. The IRS, though, had blocked it and sent me a notice asking if I had indeed filed a return and it turned out that my accountant had not filed a return and my accountant notified the IRS that the return they had in hand was a fraud and they did not let it go through.

    In the meantime, I had filed my own return with an affidavit with my license and passport, which the IRS accepted.

    The IRS, though, did not tell me any details on the fraud return.

    My question to you folks is how do I find out if my information that was used to file the fraud return came from Experian during this security lapse?

    Without that information (whether or not it was Experians’s lapse that exposed my information to whomever tried to file a fraud tax return in myname) I don’t know whether or not to join in on the class actions.

    What should I do, if anything? Join the class action and cross my fingers? Not bother and hope that I would be automatically joined if someone sees my name somewhere in the discovery?

    • You are automatically a member of a class action lawsuit. You have to petition to have yourself removed so that you can sue on your own.

      The problem is that these lawsuits generate money for lawyers and do nothing for the victims. True, you’ll get a year of credit monitoring and maybe a coupon for a couple of bucks off something. But nothing of consequence. Meanwhile, the lawyers, will make millions.

      • “The problem is that these lawsuits generate money for lawyers and do nothing for the victims.”

        You got that right, Bob!

        Not worth taking the time to fill out the paperwork.
        I did it once. Got a check for $1.49 !

        Nowadays if an invitation comes to be part of a class action lawsuit I just toss it (shredding any part of it that may have my name).

        • I got the same check, but only AFTER investing 6 hours in tracking down a dozen 3 to 5 year old securities transactions and making some 80 scan-prints. The outgoing postage was easily and order of magnitude large than the “reward”.

          I’m involved in one about overpriced memory modules only because a statement was required, not much else. The Court held the Fairness Hearing on June 25, 2014 and approved the settlement on June 27, 2014. YAY! There was an appeal unresolved a year later. BOO! I’ll wager lawyers are racking up hours while my share dwindles.

          Jonathan @nc3mobi

      • We have 3 such free credit monitoring services running now, covering TransUnion (AllClear ID) and Experian (ProtectMyID), from the Home Depot breach, the Anthem breach, and now the OPM. Our credit was still pulled and used in spite of the monitoring, and fraudulent loans taken out. I just mailed in the ID Theft form to the IRS and locked up our SS accounts. Another “free credit monitoring” service isn’t going to amount to a hill of beans here, and the persistent individuals find ways to bypass all the big 4 credit freezes and still use your information.

        This court case will drag on for yeeeeaaaarrrssss, and we’re left picking up the pieces and putting credit back together…

    • And this is why this class action suit will likely fail. Judges have repeatedly ruled in cases like these that if no damages occur, you have no standing. If damages did occur, but you cannot prove it was due to a breach, you have no standing. I believe this ruling will be no different.

      Don’t shoot the messenger here, and I hope I’m wrong, but civil suites like this have little chance. This should be a case brought by a government either state or federal, but those parties have pretty much indicated they are not going to puruit this.

    • Corey Beaulieu

      Even of they knew for sure that your information was compromised as a result of the Experian blunder, they probably wouldn’t disclose this for liability reasons.

  5. Well, it’s about time that one of the Credit Reporting Agencies( (CRA’s) is finally hit with a lawsuit over ID theft. At the end of the day, the CRA’s are the ones who provide the information for credit inquiries. And, yet they do NOT authenticate that the person making the request is, in fact, the person they claim to be.

    Clearly, their model isn’t working and instead of implementing something like 2-Factor authentication or some other method of positively identifying the requestor — beyond a reasonable doubt — they will sell you ID theft protection services.

    What burns me is that they profit from this and, therefore, have NO incentive to make any changes to reduce the risk to consumers, banks and lending institutions. In my mind, that makes them negligent and potentially complicit.

    It’s about time they have to answer for this.

    • The technical stuff I am less worried about. It is more a question of defining who it is that legitimately should have access. A bank or a car dealer – yeah, that’s what it was designed for. Some private detective or reporter on a fishing expedition? Or a potential employer? Where do you draw the line?

      And as you say – they don’t have an incentive to make this terribly strict – they make money off of it. So the incentives are all completely wrong here.

    • The credit bureaus should be barred from imposing fees for security freezes/unfreezes. If they are unable and/or unwilling to properly protect our data, at the very least they shouldn’t be allowed to extract fees from people trying to protect themselves.

    • But, this will not stop the problem. It’s still a problem of how to identify the customer. Right now, all customers are unknown to the retailer. And retailers unlike the customer, have shifted security to the lowest bidder. Customers cannot do that. The customer wants the convenience of the sale. It appears to be a conundrum, security, sales, customer needs. You have to distrust one of them, distrust of the customer, lost sales, no profit. No business.

      • Jim – you are right that merchants need to be able to identify the charge card using consumer. That does not mean that the merchant needs the confidential consumer credentials.

        The “knowing” can be done with a true-token from the consumer that can be passed to the provider (charge card issuer) so the merchant gets paid and the consumer gets billed. This protects the merchant and reduces the value of the merchant’s stored heap of “knowing” from hacker’s treasure trove to something less if that token, on its own, cannot authorize a transaction. It also takes a dynamic authorization derived from elements of that transaction encrypted with a sequence unique to each consumer.

        The token comes from a common smart phone (no special parts), works in physical presence, electronic presence, person-to-person, even non-presence (think about paying a paper utility bill without using the internet) operations super-cards can’t do. Many consumers already have cell phones, providers need no expensive cards and merchants don’t need new readers required, and all get increased functionality.

        There is a better way.

        Jonathan @nc3mobi

    • Their answer will always be a lie anyway. There is no way to illegally acquire trillions of pieces of information about people who don’t want you to, while selling that information to everyone else that can ever be defended or secure. Their entire business model is insecure and always will be. Just shut the bastages down.

  6. Robert Scroggins

    Thanks, Brian. I have no doubt that the bad publicity brought against Experian in this case will cause them to make some security changes and make the credit reporting industry take notice as well.

    Regards,

    • Robert,

      Did you mean to put a /sarcasm tag on your comment?

      The worst that come out of this for Experian is a money fine, which is a cost of doing business. They already have a poor reputation so what changes in that regard.

      Now, if you were to get a CEO or two thrown in jail for a while or big personal money fine against them, then something may happen.

  7. its funny how people critic but very few really understand how weak american system is

  8. The IRS and Social Security Administration use Experian-supplied test questions to verify the identity of someone registering to use irs.gov and ssa.gov websites for the first time. Appreciate the irony.

  9. LessThanObvious

    The consumer credit rating agencies in general I suspect are a snake pit of inappropriate data use and misguided risk exposure.

    We have little choice in the matter of what these companies are allowed to do with our data or whether they are even permitted to possess it. The idea that an organization that we are forced to depend on for the privilege of accessing credit should do much of anything with that data outside the scope of the credit rating mission, I fear is fundamentally flawed and will continue to open up completely avoidable avenues of risk.

    • I worked for Experian for two years. They suck — at least in terms of making horrible, stupid decisions at the CxO level (I actually mostly enjoyed working there though).

      I don’t think Equifax and TransUnion are any better.

      I’ll point out that it’s not Experian’s fault that Court Ventures was doing business with a criminal. It IS their fault that they (obviously) didn’t do their due diligence, because if they had, they probably wouldn’t have touched Court Ventures (due to liability concerns).

  10. No longer surprised by the breaches at corporations, big and small, as it relates to PII, Card Data, etc. Not to mention the breaches at several Federal agencies…the most damaging being the recent OPM breach.

    As someone who is responsible for ensuring data privacy for my organization, our employees and vendors, customers (Commercial and Federal), I spend a great deal of my time wading through mountains of technical and regulator data to minimize the threats. The dollars expended are equally voluminous when consultants, staffing, hardware/software, and lost productivity are factored together.

    While there is a significant amount of industry and government guidance available, they have become tremendously burdensome to implement regardless of the size of entity. This is not to suggest that these measures should not be implemented, FAR from it… but we have to develop a framework that works to integrate the multiple regulatory and industry requirements that are designed to harden our systems. Not sure how many more diverse requirements/standards will help among the current alphabet soup of PCI-DSS, SOC, Risk Management Framework (RFM), HIPAA, CERT, Privacy Act…you get the picture.

  11. The perpetrator, i.e., the hacker and/or deceiver should also be sued, probably more so than the corporation hacked and/or deceived since if this type of action was made UNprofitable for these evil ones, they would stop.

  12. It has been known for a long time, by the credit repositories, that their data was of very high value to criminals.

    Choicepoint fell victim to this scam back in February 15, 2005 when Fraudsters who presented themselves as legitimate ChoicePoint customers purchased data profiles from ChoicePoint on individuals and used that data to commit identity theft. The initial number of affected records was estimated at 145,000 but was later revised to 163,000. (privacyrights.org).

    Choicepoint was then investigated by the FTC, and they found Choicepoint grossly negligent with their client onboarding process. It seems that a step was skipped in the sales closure process, the actual check to confirm that a customer is actually “doing business as”… a validation of their “permissible purpose” to the data that Choicepoint sells. (from Equifax)

    Fast forward to Experian, getting caught for this… and claiming that they didn’t know….

    Sorry, no security professional in their right mind would not ask for these accounts to be validated. That’s just POOR BUSINESS.

    Choicepoint agreed to pay $10 million to settle a class action lawsuit, I hope that since inflation, that Experian settles the class action, for an order of magnitude or three higher than the original breach that created privacyrights.org.

    This is blatent gross negligence.

    • 1/26/2006 – ChoicePoint paid $10M in civil penalties and $5M in consumer redress as settlement of the FTC investigation. TWO YEARS LATER 1/27/2008 ChoicePoint paid $10M to settle class action lawsuit.

      So who “won”? Maybe the lead plaintiff and lawyers in the class action? Or, maybe the FTC if they kept the $10M? It sure wasn’t the the 163k consumers whose PII was exposed.

      Jonathan @nc3mobi

  13. …and of course not only are we trying to complete major projects with as few people as possible but much of the development is being pushed offshore to countries where “you can get a quality programmer for $10/hr”.

    Unfortunately many companies don’t want all their details offshore so they don’t give these programmers the full details of what they are programming for…..and then the execs wonder why project don’t complete on time.

    Well if you don’t provide the details necessary for a quality job you shouldn’t be expecting quality results.

    • I hardly think giving some scammer in India full access to millions of foreigners is the right answer.

  14. If anyone thinks they are going to get rich off of this – or crush this company into non-existence is a big dreamer.

    What the government should do, or should have done many many years ago is limit the amount of PII that is used by these credit organizations. They sell your PII in a mild form, and here come a ton of BS offers from all sorts of companies….legit and non-legit.

    Brian has offered quite a few writeups about this subject, so I’ll make it short. All it takes in any organization is one insider or one non attentive person and an issue can be created. This is far from the double and triple checks in an ER room to ensure the information at hand is accurate so a proper diagnosis can be given.

    In the cyber world, things move too fast, the ability to dig through thousands of records after the fact is nearly impossible – or so it seems. I am noting them an “out”, in my opinion they are at fault and liable for what they do. They accept the risk – and payments – everyday.

    Its another company that makes a killing and if they are simply grabbing, errrr cash with their pants around their ankles, then in the end, who is at fault….The guy who yanked them down and got 13 years, and the company for allowing the guy to yank’em down.

  15. @Scott
    I really do honestly feel sympathy for all those that have to juggle all that. I know it’s not easy. It does get mind-blowing to go through it all when it can sometimes come down to a simple decision to NOT use a particular program and just filter out a set of IP’s instead. But then there is BYOD that complicates things for many businesses. It’s all part of why so many companies wont allow Facebook to be accessed on company machines (while employees go nuts over just that). Meanwhile, a series of apps (written by who knows who) and constant use of email for every little thing gets everyone numb. That’s not to mention the refusal to get away from java based software. All while requiring flash to remain on all computers for being able to run ‘training’ videos. lol….training videos that emphasis security and privacy. There is so much to all of this that the need for an IT dept. really is there. But, I know, it’s all about the money. What are ya going to do? It’s part of why the bulk of my comments on this site are mainly meant for individual home users.

    @Steve
    We can all see the quality job that we are getting from (in part) these offshore coders. Personally, I’d rather see this ‘offshoring’ thing stopped all together. At this point, nothing is seen as worth having unless it comes from the mid/far east. But who am I? What do I know? lol….

  16. maybe they will offer those affected multiple years of ID theft protection, or at least offer to clean up any mess on the credit report.

    I’d say they should use a 3rd party product to ensure the effort is done, rather than take their word for it. BUT now “lie-lock” is being hammered by the FTC, again….

    http://www.csoonline.com/article/2951292/data-protection/ftc-sues-identity-protection-service-lifelock-again.html#tk.rss_news

  17. If only this article had a little sex in it we would have many more comments to read, yet the issue is really a lot larger in scope since they hold way more information about everyone.

  18. It seems to me that those who collect personal data from uncompensated people should be held to a very high standard. These are people who had no dealings with Experian and suffered actual or potential damage. People don’t get to have a say on security in Experian and must rely on them to do the right thing. The courts should hold Experian liable along with Ngo.

    • What about the companies that provided the information to Experian in the first place, don’t they have responsibility as well?

  19. Any insight about Prabook? http://prabook.org/web/home.html
    This seems to be hosted in Belarus. I was dismayed that it posted so much sensitive data about me. Though they will take it down, it already has been out there for goodness knows how long! Doubt that this was link to the Experian hack … more likely an army of people porting over “Who’s Who” and technical pubs from year ago.

  20. I suspect that the credit card companies and other banksters actually profit somehow from ID fraud.

    Why?

    Because they seem to be making it deliberately harder to protect yourself against it, rather than easier.

    The apt building I live in got a big mailing of pre-approved CC offers the other day, which a lot of recipients just threw, intact, in the trash bin by the mailboxes. Knowing what could happen if they fell into the wrong hands, I took them, cut them into alternating strips, threw the even-numbered strips into the paper recycling, and kept the odd-numbered strips to chuck out in a few weeks. This way nobody will likely be able to reconstruct any of them, even if they try to sift through the garbage and tape one back together (and CC companies have been known to accept one of these things after it’s been cut up and then taped back together).

    I found that they’ve actually made it physically more difficult to cut those things apart now, particularly the part containing the activatable card itself.

    If you ask me, preapproved card offers shouldn’t be mailed unsolicited in the first place. It shouldn’t be allowed. And activating a new line of credit in the name of person X should require producing ID somewhere, in person, that shows you are person X, not just knowing a few details about person X.

    The banksters could make it that difficult to perpetrate ID fraud easily and quite cheaply. They don’t. Instead they actually make it more difficult to “defuse” an unwanted preapproved credit card offer, at the expense of additional paper, plastic, and cardboard.

    The only likely reason is that their bean counters expect more beans if they make ID fraud easier than if they make it harder.

  21. If your identity was stolen tomorrow who would YOU call? Check out my business website. 100% hands off recovery for less than $1.00 a day. Safe ID Trust. Email me for more info. Save 33% on one year membership, limited time! Covers you and your family.

  22. Losing big PII data over and over by the tens of millions is no big deal for health, finance, retailers and other holders of large quantities of this data because they are getting away with losing the data. Not much real consequences for them. I see them laughing in their board meetings saying to each other: Oh well, we’ve been hacked again ! “Tom can you send out another email to all the credit card holders who’ll be affected that we’ve got them covered for another two years of credit monitoring”. And for that credit monitoring they turn around and give all that PII to yet another new Indian outsourcing company to provide the credit monitoring.
    It is about time that lawyers catch up with this scam of PII holders being cheap or cutting corners to cut costs in protecting the data then getting away with offering two years of credit monitoring. Lawyers can take these companies to court and dissect their security infra structures as how well they really were prepared to protect their data. Did they have competent security staff on their payroll ? or were they outsourcing protection of the data to save money for a payout for the CEO’s new yacht and bonuses for the board ?

  23. This is very disturbing news. These data brokers are probably selling this information to other criminals just like Ngo while we speak.