The credit bureau Experian appears to have sold an unknown amount of highly sensitive personal information to a Vietnamese national who maintained an online identity theft service, according to a long-running investigative report published by Krebs on Security reporter Brian Krebs.
Experian, which is reportedly under investigation by the United States Secret Service, is one of the three primary credit reporting agencies in the U.S. Joined by TransUnion and Equifax, these three main credit bureaus gather the personal information of U.S. citizens – such as bill and loan payment information, the amount of debt a person holds, where that person works and lives, whether that person has been arrested, sued, or filed for bankruptcy, and much more. They then sell that data to nearly any would-be creditors, employers, insurers, and anyone else wanting to run a background or credit check on an individual whose information is stored in the database.
As the Internet has evolved into a ceaseless information gathering machine, a data brokering industry has emerged, promoting the sale of personal information acquired through cookies and other means of online Web-tracking to nearly anyone that would pay. While the services cater predominately toward advertising agencies attempting to better target ads toward interested consumers, this and another report by Krebs have illustrated the dangers of collecting these troves of personal information and storing them in online databases.
The first report sheds light on information security weaknesses that enabled a separate identity theft service to steal and sell online information from LexisNexis, a compiler of legal and criminal record information, Dun & Bradstreet, a New Jersey-based collector of corporate licensure information, and an employment background screening company called Kroll Background America Inc.
This latest report alleges that a company owned by Experian negligently and willingly sold information to a Vietnamese cybercriminal posing as an American private investigator.
The Vietnamese man said to be impersonating a U.S. private investigator is Hieu Minh Ngo. Ngo was reportedly lured into New Zealand and ultimately extradited to the U.S. where he faces a slew of criminal hacking-related charges in New Hampshire. Ngo operated a number of identity theft sites, one of them called “superget[dot]info” where Krebs claims he was selling information purchased from the Experian-owned company.
The Experian subsidiary that actually did the selling is a company called Court Ventures, who, according to Krebs, was acquired by Experian in March 2012. Interestingly, the information sold actually belonged to a third data firm, U.S. Info Search.
Krebs spoke with the Marc Martin, CEO of U.S. Info Search. Martin explained that his company struck an information sharing deal with Court Ventures before Experian purchased the company. The deal stated that each company would be granted unfettered access to the other’s databases of stored information on U.S. consumers. Martin also told Krebs that the deal barred Court Ventures from selling any of U.S. Search Info’s data to anyone other than “licensed and credentialed U.S. companies.” Despite this, Court Ventures accepted wire-payments from Ngo via Singapore, and Experian failed to investigate that source of income for more than a year after acquiring the company.