Reminder !
Experian Exposes 200 Million Consumer Records
Monday, March 10, 2014 18:29

Hieu Minh Ngo

Brians Krebs
reported today that Hieu Minh Ngo, the Vietnamese national arrested for running an identity theft program out of his home, “tricked an Experian subsidiary into giving him direct access to personal and financial data on more than 200 million
Last fall, news broke (via Krebs) that Experian had inadvertently sold sold consumer data to an identity theft service.

With the release of court records, it is now clear how large this security exposure is: 200 million consumer records. According to Krebs, court records reveal that “Ngo’s ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data.” Ngo customers made about 3.1 million queries on Americans and used those queries to file fraudulent tax returns, opened lines of credit, and ran up large debts.

The big question is how did Ngo convince Experian to sell him records? His methodology is at the heart of many security breaches.

As we’ve discussed in this blog in the past, Ngo used a form of social engineering. This is a way of attacking a business through some type of human deception. Many of the recent security breaches have utilized social engineering tricks alongside sophisticated malware attacks. Ngo approached a smaller security records company, US Info Search, posing as a private detective from Singapore. US Info Search had a data-sharing contract with another company Court Ventures. So Ngo became a customer of Court Ventures.

When Experian bought Court Ventures, Ngo enjoyed access to Experian records for almost 10 months after the acquisition. During that time he had access to 200 million consumer records and was able to siphon off information like date of birth, Social Security numbers and more. At this point, it is not clear now many Americans have actually been compromised.

Thus far Experian has made very few comments on the case, citing the ongoing investigation. According to Krebs, ”the evidence offered by the U.S. government strongly suggests that many people were injured by Experian’s lack of due diligence,” and “It remains unclear whether Experian will ever be required to answer for its costly oversight.”

[1] Brian Krebs. “Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records.” KrebsonSecurity, March 10, 2014