from the oops dept
Basically, U.S. Info Search had an information sharing deal with a company called Court Ventures -- who was purchased by Experian in early 2012. The deal between USIS and Court Ventures was that both parties could sell their data, but in both cases, they're supposed to only sell it to registered US businesses. Apparently Court Ventures wasn't all that careful about that requirement. It appears that Ngo convinced Court Ventures that he worked for a US-based private investigator, and that was enough for Court Ventures. Krebs spoke to the CEO of U.S. Info Search, Marc Martin, who provided more info, which he found out after hearing about all this from the Secret Service:
While the private investigator ruse may have gotten the fraudsters past Experian and/or CourtVentures’ screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, Martin said the Secret Service told him that the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.There's a lot more in Krebs' piece (go read it), about what happened here (as well as more info on Ngo). But the open question is whether or not the FTC might also go after Experian for allowing this to happen. It also raises questions about how well the giant data brokers protect consumer info (answer to nearly all of those questions: they don't). Furthermore, the piece details how the FTC has been taking an increasing interest in these kinds of issues, but hasn't really done much for many years, and how that's more or less allowed these kinds of scams to happen with frightening regularity.
“The issue in my mind was the fact that this went on for almost a year after Experian did their due diligence and purchased” Court Ventures, Martin said. “Why didn’t they question cash wires coming in every month? Experian portrays themselves as the databreach experts, and they sell identity theft protection services. How this could go on without them detecting it I don’t know. Our agreement with them was that our information was to be used for fraud prevention and ID verification, and was only to be sold to licensed and credentialed U.S. businesses, not to someone overseas.”