An ongoing investigative report has revealed that a man posing as a private investigator may have compromised millions of Americans’ personal and financial records from 2007 to 2013.
The news is the latest fallout from last year’s discovery that Experian, one of the “big three” national credit reporting agencies, indirectly sold consumer data to a Vietnamese national, Hieu Minh Ngo, 24, who was masquerading as a Singapore-based P.I.
Ngo pleaded guilty last week and Krebs on Security reporter Brian Krebs, who has been following the story since last year, acquired a transcript of his guilty plea proceedings, according to a post on his blog today.
According to those proceedings (.PDF) Ngo peddled that data through ID theft websites, giving more than 1,300 customers access to a cache of personally identifiable information (PII) belonging to 200 million Americans, including addresses, previous addresses, phone numbers, email addresses, dates of birth, along with the coup de grâce, their Social Security numbers.
Ngo’s customers ponied up around $1.9 million for about 3.1 million queries on Americans over the course of 18 months. The corresponding database, owned by Ohio-based U.S. Info Search, contained the information on 200 million U.S. citizens.
We learned the basics about the case back in October: Experian-owned entity Court Ventures, an aggregator of electronically available public records data, had a deal worked out with a third-party group, U.S. Info Search, that gave both firms complete access to each others’ databases. Using regular cash wire transfers from a bank in Singapore, Ngo was able to secure monthly access to that database.
While it’s unclear exactly how many Americans may have had their information compromised, Krebs theorizes that since each query exposed multiple records, information about a staggering number of citizens, perhaps as many as 30 million records, may have been divulged.
“At this point the government does not know how many U. S. citizens’ PII was compromised, although that information will be available in the near future,” U.S. Attorney Arnold H. Huftalen told Judge Paul Barbadoro in a U.S. District Court in New Hampshire last Monday, according to the report.
Huftalen goes on to add that the way Ngo sold the information, via identity theft websites, customers could access the information by merely just typing in the name of an individual and a state, which makes it much more difficult to get an exact number of those at risk.
Ngo sold customers “fulls,” essentially batches of the information previously described, but also portioned out access to limited bits of information. Ngo charged individuals via Liberty Reserve, a Costa Rica-based currency service.
According to a U.S. Secret Service-led investigation, all of Ngo’s customers claimed they intended to “engage in criminal fraud,” and the government believes the “fulls” were used by carders, criminals who buy, sell, and trade stolen credit card data online, to takeover identities, engage in bank, credit card and ATM fraud, along with the filing of fake U.S. personal income tax returns.
Experian hasn’t said much about the case, citing an ongoing federal investigation but as Krebs notes, in a December hearing the company’s Senior Vice President of Government Affairs Tiny Hadley did acknowledge the incident, stressing that it didn’t find out until the U.S. Secret Service informed them.
“We were a victim, and scammed by this person,” Hadley told Missouri Senator Claire McCaskill at the time.
Hadley later indirectly admitted that the company knows that customers have had their identity stolen but still went on to downplay the incident, adding that “there’s been no allegation that any harm has come.”