How Experian Sold Consumer Data To Popular ID Theft Service

from the oops dept

Brian Krebs, who continues to be a one-man reporting juggernaut when it comes to revealing the practices of online criminals, has posted quite the story about how information giant Experian apparently sold a ton of consumer data to an ID theft services, Superget.info, run out of Vietnam by a guy named Hieu Minh Ngo. Ngo was just arrested, after a grand jury indictment, and the feds luring him out of Vietnam to Guam over a supposed business deal. However, more interesting is the background here, in which Ngo was apparently able to buy access to a ton of consumer data that originated from U.S. Info Search. How he got it, and Experian's involvement, was a bit complex.

Basically, U.S. Info Search had an information sharing deal with a company called Court Ventures -- who was purchased by Experian in early 2012. The deal between USIS and Court Ventures was that both parties could sell their data, but in both cases, they're supposed to only sell it to registered US businesses. Apparently Court Ventures wasn't all that careful about that requirement. It appears that Ngo convinced Court Ventures that he worked for a US-based private investigator, and that was enough for Court Ventures. Krebs spoke to the CEO of U.S. Info Search, Marc Martin, who provided more info, which he found out after hearing about all this from the Secret Service:
While the private investigator ruse may have gotten the fraudsters past Experian and/or CourtVentures’ screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, Martin said the Secret Service told him that the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.

“The issue in my mind was the fact that this went on for almost a year after Experian did their due diligence and purchased” Court Ventures, Martin said. “Why didn’t they question cash wires coming in every month? Experian portrays themselves as the databreach experts, and they sell identity theft protection services. How this could go on without them detecting it I don’t know. Our agreement with them was that our information was to be used for fraud prevention and ID verification, and was only to be sold to licensed and credentialed U.S. businesses, not to someone overseas.”
There's a lot more in Krebs' piece (go read it), about what happened here (as well as more info on Ngo). But the open question is whether or not the FTC might also go after Experian for allowing this to happen. It also raises questions about how well the giant data brokers protect consumer info (answer to nearly all of those questions: they don't). Furthermore, the piece details how the FTC has been taking an increasing interest in these kinds of issues, but hasn't really done much for many years, and how that's more or less allowed these kinds of scams to happen with frightening regularity.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Oct 21st, 2013 @ 1:49pm

    If a company wants to grow it's identity theft protection business, the best way to do so is to sell a vast database of consumer data to identity thieves. Then they know exactly who is being targeted by them, and know that their marketing materials will be welcome the next time they send out a mailer.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Oct 21st, 2013 @ 1:52pm

    Curious about ID theft protection

    So, I saw this part:

    "Experian portrays themselves as the databreach experts, and they sell identity theft protection services."

    And I wondered - what is this theft protection - it is some sort of insurance policy where they reimburse up to some amount in "damages" resulting from ID theft? Do they actually have any exposure here, or is it completely reinsured by another entity? If the latter, perhaps this was all intentional - knowing that by giving away information to ID thieves, there would be a higher demand for this service, which they would take a cut of profits, and zero risk... one has to wonder.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    John Fenderson (profile), Oct 21st, 2013 @ 2:13pm

    Re: Curious about ID theft protection

    The outline of their ID theft protection is here: http://www.experian.com/consumer-products/identity-theft-and-credit-protection.html

    They're much like most other ID theft protection services, but they do include a $1,000,000 ID theft insurance policy. I don't know the details about that.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Oct 21st, 2013 @ 2:20pm

    Re: Re: Curious about ID theft protection

    Aha, there's a footnote there:

    2: Identity theft insurance is underwritten by insurance company subsidiaries or affiliates of Chartis Inc.

    Which suggests that most, or all of the risk is actually underwritten by a reinsurer.

    Something tells me that reinsurer will be increasing their premiums and/or dropping Experian entirely if they believe they're actually contributing to the problem ;)

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Convert hearsay to fact, Oct 21st, 2013 @ 2:30pm

    So I've got a 70+ year old serial fraudster

    Who I'm trying to confirm a hearsay to an actionable fact because public law officials are like most people - lazy.

    The hearsay - He has 2 Social Security numbers. Claims he applied for a replacement card and got a new one instead.

    Problem for me is if I want to dig this stuff up as a private citizen I don't see a way to do that without violating the thicket of privacy laws surrounding SS numbers.

    Any solutions where I'm honest to catch the dishonest? Asking the 'proper authorities' appear to be useless - he's perjured himself in court, owes over a million in back state taxes and is in contempt of court and yet no action seems to be happening.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    John Fenderson (profile), Oct 21st, 2013 @ 2:55pm

    Re: So I've got a 70+ year old serial fraudster

    I have two social security numbers as well, for the same reason. Although I've never used the first one and don't even remember what it was.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Lurker Keith, Oct 21st, 2013 @ 3:10pm

    Re: So I've got a 70+ year old serial fraudster

    Perhaps you should do what Judge Otis Wright did w/ Prenda & send the info you have to the IRS?

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    ECA (profile), Oct 21st, 2013 @ 5:31pm

    OK

    NOW can we sue them?

    WHO NEEDS HACKERS when we ell them our data..

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    RyanNerd (profile), Oct 22nd, 2013 @ 6:17am

    Homer Simpson

    Ooh a talking moose wants my credit card number, that's only fair.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Legion2k13 (profile), Oct 22nd, 2013 @ 1:44pm

    Experian Sold Consumer Data To Popular ID Theft Service

    In the need to know department:

    Experian is the company that is used to verify your identity on the new Healthcare.gov website......
    Now that scares me!

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Mason Wheeler, Oct 23rd, 2013 @ 11:22am

    It gets worse

    Experian isn't just a data company; they're on one of the three major credit bureaus in the USA. All of the financial information that goes into your credit rating... yeah. Experian has that. And they sold it to an ID theft ring.

    Can we convene the grand jury now?

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Johann, Oct 28th, 2013 @ 9:34pm

    Petition to White House just created

    I have created this petition to demand respect for our rights to know if we are affected and for reimbursement of cost.

    https://petitions.whitehouse.gov/petition/demand-experian-contact-and-pay-damage-12-million-con sumers-whose-data-was-sold-hacker/WBwKv46z

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This