An ongoing investigative report has revealed that a man posing as a private investigator may have compromised millions of Americans’ personal and financial records from 2007 to 2013.

The news is the latest fallout from last year’s discovery that Experian, one of the “big three” national credit reporting agencies, indirectly sold consumer data to a Vietnamese national, Hieu Minh Ngo, 24, who was masquerading as a Singapore-based P.I.

Ngo pleaded guilty last week and Krebs on Security reporter Brian Krebs, who has been following the story since last year, acquired a transcript of his guilty plea proceedings, according to a post on his blog today.

According to those proceedings (.PDF) Ngo peddled that data through ID theft websites, giving more than 1,300 customers access to a cache of personally identifiable information (PII) belonging to 200 million Americans, including addresses, previous addresses, phone numbers, email addresses, dates of birth, along with the coup de grâce, their Social Security numbers.

Ngo’s customers ponied up around $1.9 million for about 3.1 million queries on Americans over the course of 18 months. The corresponding database, owned by Ohio-based U.S. Info Search, contained the information on 200 million U.S. citizens.

We learned the basics about the case back in October: Experian-owned entity Court Ventures, an aggregator of electronically available public records data, had a deal worked out with a third-party group, U.S. Info Search, that gave both firms complete access to each others’ databases. Using regular cash wire transfers from a bank in Singapore, Ngo was able to secure monthly access to that  database.

While it’s unclear exactly how many Americans may have had their information compromised, Krebs theorizes that since each query exposed multiple records, information about a staggering number of citizens, perhaps as many as 30 million records, may have been divulged.

“At this point the government does not know how many U. S. citizens’ PII was compromised, although that information will be available in the near future,” U.S. Attorney Arnold H. Huftalen told Judge Paul Barbadoro in a U.S. District Court in New Hampshire last Monday, according to the report.

Huftalen goes on to add that the way Ngo sold the information, via identity theft websites, customers could access the information by merely just typing in the name of an individual and a state, which makes it much more difficult to get an exact number of those at risk.

Ngo sold customers “fulls,” essentially batches of the information previously described, but also portioned out access to limited bits of information. Ngo charged individuals via Liberty Reserve, a Costa Rica-based currency service.

According to a U.S. Secret Service-led investigation, all of Ngo’s customers claimed they intended to “engage in criminal fraud,” and the government believes the “fulls” were used by carders, criminals who buy, sell, and trade stolen credit card data online, to takeover identities, engage in bank, credit card and ATM fraud, along with the filing of fake U.S. personal income tax returns.

Experian hasn’t said much about the case, citing an ongoing federal investigation but as Krebs notes, in a December hearing the company’s Senior Vice President of Government Affairs Tiny Hadley did acknowledge the incident, stressing that it didn’t find out until the U.S. Secret Service informed them.

“We were a victim, and scammed by this person,” Hadley told Missouri Senator Claire McCaskill at the time.

Hadley later indirectly admitted that the company knows that customers have had their identity stolen but still went on to downplay the incident, adding that “there’s been no allegation that any harm has come.”

Categories: Data Breaches, Privacy

Comments (4)

  1. Anonymous
    1

    Time to lock away the CEOs. Maybe then they’ll take responsibility for other people’s data seriously.

    Reply
  2. Dawn E. Williams/anonomus
    2

    This may explain some recent issues with my so called credit non-credit all to do with Experian which was good all the sudden not. October 2013 had a problem with an Identity theft/credit score co. After a fight got back initial money yet still monthly these crooks are taking money for ID theft haven’t got rid of that issue, very unhappy about this whole ordeal! Any suggestions to eliminate these awful people gladly would take this to the highest court. I have had ID theft before and am done with it, not fun!

    Reply
  3. Sherri
    3

    What do you mean you found out about it in October.What the bloody hell has been going on. Keep reading and it sounds like the government has know about this for a couple of years and NOW were hearing about this. Lets see they’ll get a hand slap, the fines will go to the government and the big wigs will get large bonuses and we will get a free credit service for a year. SOUND FAMILIAR

    Reply
  4. concerned
    4

    NOW YOU WONDER WHY PEOPLE LIKE THE GUYS IN WILLIAMBURG SC USED POLICE REPORTS TO PUT 7 YEAR ALERTS ON PEOPLE CREDIT.TO HELP PROTECT CONSUMERS.THEY SHOLD BE APPRECIATED AND NOT PERSUCUTED . THINK ON THAT SOUTH CAROLINA .

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>