March 23, 2018

The City of San Diego, Calif. is suing consumer credit bureau Experian, alleging that a data breach first reported by KrebsOnSecurity in 2013 affected more than a quarter-million people in San Diego but that Experian never alerted affected consumers as required under California law.

The lawsuit, filed by San Diego city attorney Mara Elliott, concerns a data breach at an Experian subsidiary that lasted for nine months ending in 2013. As first reported here in October 2013, a Vietnamese man named Hieu Minh Ngo ran an identity theft service online and gained access to sensitive consumer information by posing as a licensed private investigator in the United States.

In reality, the fraudster was running his identity theft service from Vietnam, and paying Experian thousands of dollars in cash each month for access to 200 million consumer records. Ngo then resold that access to more than 1,300 customers of his ID theft service. KrebsOnSecurity first wrote about Ngo’s ID theft service — alternately called Superget[dot]info and Findget[dot]mein 2011.

Ngo was arrested after being lured out of Vietnam by the U.S. Secret Service. He later pleaded guilty to identity fraud charges and was sentenced in July 2015 to 13 years in prison.

News of the lawsuit comes from The San Diego Union-Tribune, which says the city attorney alleges that some 30 million consumers could have had their information stolen in the breach, including an estimated 250,000 people in San Diego.

“Elliott’s office cited the Internal Revenue Service in saying hackers filed more than 13,000 false returns using the hacked information, obtaining $65 million in fraudulent tax refunds,” writes Union-Tribune reporter Greg Moran.

Experian did not respond to requests for comment.

Ngo’s Identity theft service, superget.info, which relied on access to consumer databases maintained by a company that Experian purchased in 2012.

In December 2013, an executive from Experian told Congress that the company was not aware of any consumers who had been harmed by the incident. However, soon after Ngo was extradited to the United States, the Secret Service began identifying and rounding up dozens of customers of Ngo’s identity theft service. And most of Ngo’s customers were indeed involved in tax refund fraud with the states and the IRS.

Tax refund fraud affects hundreds of thousands of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

In May 2014, KrebsOnSecurity reported that Ngo’s identity theft service was connected to an identity theft ring that operated out of New Jersey and New York and specialized in tax refund and credit card fraud.

In October 2014, a Florida man was sentenced to 27 months for using Ngo’s service to purchase Social Security numbers and bank account records on more than 100 Americans with the intent to open credit card accounts and file fraudulent tax refund requests in the victims’ names. Another customer of Ngo’s ID theft service led U.S. Marshals on a multi-state fugitive chase after being convicted of fraud and sentenced to 124 months in jail.

According to the Union-Tribune, the lawsuit seeks civil monetary penalties under the state’s Unfair Competition Law, as well as a court order compelling the Costa Mesa-based company to formally notify consumers whose personal information was stolen and to pay costs for identity protection services for those people. If the city prevails in its lawsuit, Experian also could be facing some hefty fines: Companies that fail to notify California residents when their personal information is exposed in a breach could face penalties of up to $2,500 for each violation.


38 thoughts on “San Diego Sues Experian Over ID Theft Service

    1. Klaus

      My two cryptocoins on your article on coinhive.
      Here in Germany the political landscape is pretty rough right now. People get their houses, vehicles and family attacked by radical alt lefts. This what you are doing is slender in its purest form and especially with your past you should know better.

      1. Henry Winokur

        “Slender”?

        Did you mean “slander”?

        If you meant slander, then you clearly don’t know the meaning of the word. Go look it up.

  1. Doug Selix

    Question: From what you learned, would a credit freeze on an Experian account have prevented this type of access. I’m wondering if there is a class of trust with a supposed private investigator that exposes this data.

    1. BrianKrebs Post author

      No, because the data that was accessed by the ID theft service was managed by a company that Experian acquired called Court Ventures.

      1. i1uluz

        I have a security freeze in place per Virginia code. The other day I needed to lift it, to apply for a loan. I called Equifax, had my PIN ready. After 6 different reps I was asked questions off of my credit report and it was lifted. The problem my PII is compromised, there is a federal investigation ongoing, 3 years so far. Credit monitoring is “allowed” under the VA code, so if your PII is compromised, they can lift your freeze if they can access your reports. I was asked about a couple of my current and past loans. All the info is on the report. I don’t believe there is a foolproof system to protect your credit without taking your reports offline. In that case your auto insurance rates will most likely increase since they use your FICO scores to underwrite your rates.
        USPS used the fraudulent address provided to them via a contract with Equifax to authenticate my ID for Informed Delivery. Neither USPS nor Equifax can or willing to explain where or how it is happening or the source of the info. I do have emails with the Informed Delivery Program Manager admitting some of the issues I pointed will be worked later this year. Brian some of those issues I told them about came from your site and few I figured out having dealt with the fraud for the last 4 years. Also some of their powerpoint slides are online for public viewing as they worked on the project. Seems the sender has access to the info also, so a credit card company could use that info to claim the victim did receive the card in the mail so therefore the victim should be forced to pay for the charges if it went to court proceedings.

  2. James

    Pathetic sentencing time for ruining a persons financial and personal life. They will soon be back on the street committing more ID theft, tax refund and credit card fraud.

    1. Catwhisperer

      Seems to be working fine on a ZTE. Just pinch separating fingers to view on smartphone. No need to even do that on a tablet…

      1. Harry D.

        Sure, I can enlarge the text so that it’s readable on my LG but there’s all that damnable side-to-side scrolling. It’s ponderous. So I just read Krebs on my PC.

      2. JamesZannetti

        Sigh Catwhisperer sigh…..

        Mobile site please!

  3. JCitizen

    The credit bureaus have got away with being more regulated for half a century, it is now time to put the thumb of Uncle Sam on them. I hate over regulation, but these bureaus need to shape up or ship out. Somehow they need to have a system to only sell to authorized entities, and the other obvious one is that customers need an easy FREE way to freeze their credit – even if we have to compromise and put a 3 year time limit on it, they need to GIT’ER DONE!!!

    1. JCitizen

      I should say, “got away from” not “with”, but I’m sure my meaning is clear none-the-less!

    2. Mary

      The Privacy Journal reports that Equifax’s reporting has been erroneous and prejudiced for 46 years. Early Equifax violations that outraged Congress led to the creation of the Fair Credit Reporting Act of 1971 continue. Although the violations are not cybersecurity related, they are telling. The Federal Government has handled Equifax with conflicting approaches; audits and penalties while at the same time bestowing high dollar federal contracts paying large sums for its data. Another example of additional concern is Equifax’s purchase of CDB Infotek in 1993 even though in 1990 the FTC sued them for illicit sales of personal information. All three credit bureaus have been sued by FTC. Equifax is a major company continuing to operate while out of compliance, continually, since it’s its start with the law that regulates it. (Journal 2017)
      Journal, Privacy. “Equifax credit bureau: 46 years of defiance.” Privacy Journal, August 2017.

      1. JCitizen

        Under that law that you site, the Consumer Financial Protection Bureau should be able to pressure the reporting agencies, but I’m not sure they can do it as an over all action or just for individuals. It probably doesn’t help the Richard Corday is no longer the director over at the CFPB. We need to see some punishment coming from somewhere – they are completely getting out of control!!.

  4. oxn

    and what laws will be placed in usa now? everytime when some big fraud arresting then new laws will be placed ,the question is what will be the next law in usa? wich has to do with this thing what here.

  5. Ollie Jones

    This lawsuit, and the civil fines mentioned in the law ($2500 per person), are a key part of dealing with breaches in a systemic way.

    The cost of breaches has to be high enough to make company risk managers and insurance underwriters ask questions like “how many peoples’ records are in this system?” “Can you still run the business with fewer records?” “If a breach starts, can you stop it before too many records get out?”

    In health care IT, the cost of breaches is high. And risk managers do a LOT of defense-in-depth work to prevent them and reduce their seriousness.

    The same can be done to defend financial IT records. But unless it’s the most cost-effective way to run these businesses, it won’t happen.

    It’s a shame city attorneys have to be at the forefront of this kind of reform. But I guess we should take it where we can get it.

    1. Rick

      “The cost of breaches has to be high enough to make company risk managers and insurance underwriters ask questions like “how many peoples’ records are in this system?””

      The easier way to say/do that is to make the cost of not complying much higher than the cost of complying.

  6. Tsailing Merrem

    Can California government sue Equifax? I don’t recall Equafax notify people. instead, we have to log on to its site and verify if our data is compromised and pay Equifax to freeze our credit.

    1. FreezeIt

      If you paid Equifax to freeze you did something wrong. There was no charge to freeze.

      1. JCitizen

        That is not how I understood it. There was no charge to get credit monitoring but not the freeze. I checked, and I was going to have to pay 5 dollars per agency to freeze it. I don’t see why I should have to pay squat for THEIR mistakes!

      2. Tim

        I believe there was a fee if you froze your account before their breach, but after the breach, they rescinded the fee. Of course, the other companies did charge a fee.

      3. Jim

        Every state makes a legal determination whether credit freezes are to be free for their citizens, or not.

  7. Kamil Faizi

    I am so glad this article came into light.

    Sad to see firms like Equifax and Experian not taking our data seriously. And then they advertise that they wanna protect people? I don’t think so.

    I am glad I am affiliated with IDShield (provided through Kroll). Good to be with a company that takes security and data seriously.

  8. Steve

    This is such a common occurrence these days; it has been for too many years and continues to happen ever more frequently. From local entities such as in this case, right on up to the federal level, government agencies are suing over grievances against the public, but the settlements result in payment to the government and the funds are NOT passed on to the actual victims. It’s nothing more than another way to generate revenue.

    Sue their pants off, fine with me, but the money needs to go to those who were harmed!

  9. Janet Parrish

    I just recently learned that my identify has been breached. Someone filed a 2016 tax return with my identify. I am devastated and dissolutioned and very afraid of what ever else has been done. What kind of compensation and how do we fix this. I need help. Please !!!

    1. JCitizen

      I’m not sure they start with IRS issues, but you could always contact the Consumer Financial Protection Bureau online and maybe they will help, or point you in the right direction.

      It is a lot easier to do a credit freeze right now with at least four of the biggest agencies, than to try and clean up the problem yourself, though.

  10. Gary

    Experian, selling identity protection service, what a joke just isn’t funny. Zero ethics, anything for a fast buck.

  11. Lilly

    Does anyone create online accounts with the 3 credit bureaus? I do not like to create accounts, but am also concerned if someone malicious created the account before i do like the IRS post a while back. What do most of you do? Thanks

    1. JCitizen

      If you ever borrow money or get a credit card you will automatically get you data listed and stored at the reporting agencies, you have no say in the issue. This is why I get so mad, because they obviously need more regulation, and they have been getting away with murder for far to long.

      If you have NEVER borrowed money or requested credit EVER, then you have nothing to worry about. I don’t know anybody like that.

    2. JCitizen

      The IRS will eventually make your tax issue whole again, but how soon I don’t know – most likely the crooks got you name from a data base somewhere there was a breach. It may not necessarily be from a credit or store breach, it could come from anyone you did business with, including the doctor’s office!!

  12. Chip Block

    I am wondering if this is the first shoe to drop after the Supreme Court is letting lower court rulings that future harm gives standing to lawsuits on cyber cases. Previously, plaintiffs had to prove “direct harm” to file a case like this, but that interpretation is thawing. The Supreme Court did not rule on this, so you might be seeing a lot of these cases. Can plaintiffs start to sue for all breaches over the past five years now? Uber has to be sweating this heavily now as they are faced with the same delay to report situation.

  13. Mark Gibson

    Its time Dragnet surveillance capitalists like Equifax, Experian, TransUnion, Facebook, were brought to heel and regulated.

    Only strong regulation with drive reform. We do not want our personal information and behavior in the form of clicks, packaged and sold to anyone with a credit card.

    I hope this case succeeds.

  14. Henry Winokur

    It couldn’t have happened to nicer people.

    First they take our info without our permission, and then they don’t protect, AND they make money off it again without our permission, and they’re surprised when somebody gets mad.

    That’s chutzpah!

    Great job, as always, Brian.

    And no matter what Klaus says, keep up the good work! 🙂

  15. Josh

    As a consumer, is there anything I can do to stop something like this? Mitigate the damage if something like this does happen?

Comments are closed.