Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Experian ID Theft Exposed 200M Consumer Records

ID theft ring sold access to database with 200 million consumers' private data to 1,300 criminals.

A Vietnamese identity theft ring allowed criminals to conduct searches on an Experian-owned database containing information on 200 million consumers.

That information was revealed in a March 3 federal court hearing in which Hieu Minh Ngo pleaded guilty to running a business from his home in Vietnam that provided access to US consumers' personally identifiable information (PII), security journalist Brian Krebs first reported.

According to the Justice Department, Ngo sold "fulls," referring to bundles of PII that can be used to commit bank fraud, credit card fraud, and to file fraudulent income tax return requests. The fulls were advertised via a number of underground cybercrime sites, including Superget.info.

Just how big was the data breach involving the Experian database? US attorney Arnold H. Huftalen told the court that Ngo had allowed 1,300 criminals to "make more than 3 million queries of U.S. citizens' PII" over an 18-month period, according to a transcript of the hearing.

But the defendant couldn't confirm the number of records that may have been accessed, his lawyer, Michael J. Connolly, told the court. "Ngo was not aware of the number of queries that were conducted by his clients," he said. "He doesn't dispute the number. He just simply did not have that knowledge." In other words, well more than 3.1 million consumers may have been affected.

[Snowden says encryption is defense against the dark arts. See what else he said: Snowden: I'd Do It Again.]

Huftalen told the court that information obtained by Ngo's criminal clients included "individuals' names, addresses, Social Security numbers, dates of birth, places of work, duration of work, dates of employment, state driver's license numbers, mother's maiden names, bank account numbers, bank routing numbers, email account names and addresses, and other account passwords." He also said that while an exact count of the consumers whose PII was accessed by criminals wasn't yet available, "that information will be available in the near future."

According to the Justice Department, Ngo's clients made 45,000 deposits -- totaling more than $1.9 million -- to a Liberty Reserve account he controlled. Liberty Reserve, a Costa Rica-based digital currency company, was shut down in May 2013 by the Justice Department, which described it as the "bank of choice for the criminal underworld" and accused its administrators of enabling clients to launder $6 billion in ill-gotten gains.

During last week's hearing, Ngo pleaded guilty to one count each of wire fraud, identity theft, and access-device fraud, and faces a maximum prison term of 45 years. He's due to be sentenced on June 16.

Ngo, who was first arrested in February 2013 in Guam, still faces computer hacking charges filed in New Jersey federal court. According to last week's court transcript, he's also assisting with another criminal prosecution that was filed in New York federal court.

According to the Justice Department, Ngo posed as a Singapore-based private investigator to get access to Court Ventures, which billed itself as a firm that "aggregates, repackages, and distributes public record data, obtained from over 1,400 state and county sources," and which served as a reseller for data provided by US Info Search. Court Ventures was purchased in March 2012 by Experian, which is one of the country's three biggest data brokers. But Experian failed to spot Ngo's inappropriate data access, which continued for another nine months, until the US Secret Service alerted the company.

When news of the breach perpetrated by Ngo first surfaced in October 2013, Experian argued that "no Experian database was accessed" by the criminals, saying the information had come from US Info Search. The firm declined to respond to questions about whether it would issue data-breach notifications to consumers whose information may have been obtained by criminals.

The Experian data breach highlighted the double-edged business of data brokers who buy and sell people's personal information, but who can't be held liable if that information gets inappropriately procured or used. Likewise, consumers have no ability to opt out of having data brokers buy or sell their personal details.

On a related note, the Senate Committee on Commerce, Science, and Transportation launched a data-broker investigation in October 2012, which culminated in the release of a report in December 2013 that called into question whether the industry's self-regulation properly safeguards consumers' privacy. In particular, the report accused the nine data brokers under investigation -- including Experian -- of operating "behind a veil of secrecy."

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/18/2014 | 6:05:43 PM
Resolution time
It always amazes me how long it takes organizations to resolve these issues after they realize usually from a third party that something is wrong.  According to the 2013 HP-Ponemon Institute Cost of Cyber Crime report (http://www.hpenterprisesecurity.com/ponemon-study-2013), on average incident resolution takes 32 days, and the average organization deals with 100 plus attacks per year.  Time to change the culture and attitude towards preparing and maintaining a secure front. 

Peter Fretty (j.mp/pfrettyhp)
Michael Endler
Michael Endler,
User Rank: Apprentice
3/12/2014 | 3:23:27 PM
Veil of Secrecy
"In particular, the report accused the nine data brokers under investigation -- including Experian -- of operating 'behind a veil of secrecy.'"

No kidding. I wouldn't be a fan of Experian even if this breach hadn't occurred. Now that it has, I hope more people question the influence these kinds of companies wield.
User Rank: Apprentice
3/12/2014 | 2:33:05 PM
Re: paper scissors rock.. gambling with your data
gmail addresses are more valuable than facebook email addresses.

Your suggestion that one try all login methods and then guess what data is being mined from each one is just playing paper scissors rock.

There is no valid reason informatin week needs relationship data for a comment.  Given you point out they collect fewer data points with gmail logins, it would argue that the excess collection is unwarranted.

Thus, even if someone agreed with playing paper scissors rock with the logins, information week is collecting data for no valid business reason.

They collect it to mine data.  They are part of the problem, not the solution.

Secondly, the farmed content (rewritten from Brian's article) is now linked on infosec news, and dark reading.  This is how companies hijack content, make it their own, and then propagate it.  That way they essentially take readers away from the original author.  In effect they steal content much like a scrapper site that republishes content.

Of course the business model promises great rewards, but it's all smoke and mirros.  In the aggregate, we are all poorer by such businesses that try to get grandma to buy soap a instead of soap b.

The shocking think to me is the author of the article and infomation week feel no remorse, they don't feel they hae done anything wrong.  They are, as the infamous banker said "doing God's work", so they think.

It's particularly troubling to see these folks clearly viewing themselves as on the side of 'good'.  When put up against the golden rule (do onto others as you would have them do onto you", the information mining and selling our data fails miserably.  Information week doesn't sell it's email addresses, relationships, etc.  They consider that too risky and too valuable.  But they hae no problem with mining data in exchange for posting a comment.  The price to have a voice in the internet era is very very high indeed.  Even if one does not comment, they will mine the page views, so a price to even hear about a story they stole from someone else is quite high.

And that's the great business model of big data.  It's not about actually making a product or creating content, it's about content farming and selling your data.  It's not a sustainable economic model and in the aggregate we all all poorer for it.  Some will get rich if they cash out before the 'big one', but in aggregate, we are all poorer.


So no, gmail address instead of facebook is just paper scissors rock.
User Rank: Apprentice
3/12/2014 | 10:40:57 AM
Re: Zero Trust
Interesting take.

On a related note, the Experian Data Breach Resolution service in November issued a report predicting that data breaches and related fraud would incresae, especially as consumers' "breach fatigue" intensified.
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
3/12/2014 | 10:34:04 AM
Zero Trust
This is why I didn't sign up for Target's free credit monitoring after Target got breached. I didn't want to volunteer my information to companies like this because they are lousy stewards (not to mention I have serious problems with the whole business model).
User Rank: Apprentice
3/12/2014 | 10:14:44 AM
Re: Numbers
You don't have to login with Facebook on this site.  I use a Google e-mail account.  I don't do much with it but collect spam from various places where I use it as a login.  I never use Facebook as a login, anywhere, period.  If Facebook is required, then I don't login.
User Rank: Apprentice
3/12/2014 | 9:37:22 AM
Re: Numbers
Jim: The short answer is that the database to which Ngo had access contained information on 200 million US consumers. The government has said that Ngo's clients (i.e. criminals) made 3.1 million queries. As of about 2 weeks ago (at the hearing) it wasn't able to say which US citizens had their records accessed, at least not yet. 

During the recent hearing, Ngo said that he couldn't confirm/deny the government's numbers, because he simply didn't know. 

Accordingly, if the government's count is accurate, then 3.1 million queries were made, and many, many more records may have been accessed. But when it comes to data breaches, initial counts can fluctuate wildly (in either direction).

I have a query out to Experian, asking if it can confirm the 3.1 million query number. 

From a security/privacy standpoint, the fact that an ID theft ring gained access over a period of many months to an Experian-run database that contained information on 200 million people is troubling.
User Rank: Apprentice
3/12/2014 | 1:05:17 AM
Re: Numbers
1) It must be noted that to reply to your comment, I had to 'consent' to having my facebook data mined by infoweek, so let's be clear, they ARE part of the problem, and add one to the list of compromised information. :)


2) the numbers don't add up due to a) imprecise estimates b) a request for a record returns a page of records, thus there is a multiplier applied to the requests to get to the result and c) unclear reporting, which is likely due to lack of understanding, time pressure, and grabbing the numbers from Brian's blog instead of doing the math themselves.


Unfortunately, the media is part of the problem.  They feel they must repackage the story to add to infoweek 'content' rather than simply linking to it.  This is a similar model to the data brokers who copy the data and pass it around as well.  In the end, there is little 'new' content.  The money is made in repackaging and selling it, as this article does.

The problem of course, is in the aggregate, society loses while the data brokers are like gamblers who use your data as the casino chips.  Given that there is at least a non-zero chance of losing the data, through hacks such as target, or scams such as Experian, or goofs where they publish the data accidentally, and given that there no end date for the gambling, the probability of disaster is certainty.

In the aggregate, there isn't any gain from getting a consumer to buy soap A vs soap B.  In fact, there is a loss.  And given that eventually the whole thing will be compromised it becomes earily similar to the derivatives and leveraged gambling that caused the recent Great Recession.  A few will get rich.. particularly those that build the casino, gamble with your data, and cash in (sell shares to your pension fund).  They will walk away rich.. as the bankers did.

I don't think we learned a darned thing from the financial crisis.  The IT folks think they are smarter than the financial engineers because the IT folks can scale up and leverage more.

It won't end well.

Anyway, the answer to your question is in the many to one ratio of requests to records returned.  As an example, if you put in john smith you get a whole list of john smiths, and you just pick the ones you want (yup, they just let folks browse the info!).. but hey, they are paying customers.. so it's "OK".

..well, now back to blocking informationweek from my fake facebook data.. gotta run!


good luck.
Jim Donahue
Jim Donahue,
User Rank: Apprentice
3/11/2014 | 1:46:12 PM
I'm not quite following the numbers here. Is it they had access to a database with info on 200M users but only accessed data on 3.1M?
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.