Pointing fingers, Thursday edition – U.S. Info Search tells its side

On April 8, this blog published a post concerning the Court Ventures breach that questioned whether Experian was getting a bad rap for a breach that started with Court Ventures and its reciprocal data sharing agreement with U.S. Info Search. Unbeknownst to DataBreaches.net at the time, U.S. Info Search had issued a press release the previous day. That release, reproduced below, raises some interesting points or questions, which I’ve emphasized in boldface:

In December of 2012 we were advised by the Secret Service that they were investigating Experian for a possible data breach. It is our understanding that the suspect, Hieu Minh Ngo, while posing as a legitimate business, made application to Court Ventures (Now Experian) and was approved for access to their system based on false statements and misrepresentations. His access continued until the Secret Service began investigating questionable payments to Experian from overseas. These large cash payments were sent to Experian via wire from Singapore and apparently not detected or questioned by the Company until they were discovered by the Secret Service.

Experian provided access to records via a gateway that used multiple data sources and the suspect never had access to our service. We, like many others, provided data to Experian, who in turn sold data to customers they approved and monitored. Experian (CV) also provided client access to their court data as well, and data from at least one other provider.

Our agreement with Court Ventures and subsequently Experian was to provide information that was being used for identity verification and fraud prevention purposes only.

We have cooperated fully with the authorities in their investigation of Experian and from the onset have urged them (Experian) to make timely notifications.

Important points surrounding Experian’s breach includes:

•  Experian failed to notify U.S. Info Search of the data breach as required by state statute.
•  As of 4/7/2014, or some 15 months after learning of their breach, Experian has failed to cooperate with U.S. Info Search in their investigation of the matter, refused to identify the suspect, supply his application, or even provide his search history, which was stored on their system and not ours.
• Experian showed little-to-no interests in notifying those affected until the recent media frenzy, and they still refuse to cover the cost involved. This is in spite of the fact they promised Congress (Senator Claire McCaskill) they knew who was affected and would ensure they were protected.
•  Since the breach, Experian continues to refer the media (CNN, Bloomberg, Wall Street Journal, World News etc.) and States Attorney Generals (NY, IL, CT) to U.S. Info Search knowing it was them that approved the suspect for access to their system (Not Ours). They sold him data from multiple sources, collected up to $500,000.00 or more in funds from the suspect, and then refused to notify those affected as required by law despite our continued and repeated urging.
• Experian acquired Court Ventures in March of 2012 and the misconduct continued for the better part of a year until the large cash wires to Experian were detected by the Secret Service in December of 2012. If you include the due diligence pre purchase time, we believe Experian was involved with Court Ventures during virtually the entire period in which Ngo accessed data from their system.
• The Secret Service reports the suspect ran up to 3.1 million queries from Experian and Court Ventures systems and he sold the data to criminals worldwide. According to published reports, this may have included up to 200,000,000 Americans personal identification data to the suspect, for which he collected almost 2 million dollars.
• We believe almost half of the suspects queries were performed on Experians watch – post acquisition.
• The suspect, Hieu Minh Ngo, had applied to U.S. Info Search service and in fact was denied based upon our normal vetting process in which only about 20% of business applicants are approved.
• The media reports Experian has had as many as 100 data breaches over the last several years.
• Experian continues to sell data to users via their website located at (names. dob’s addresses) www.appcheckdata. This includes Court records, bankruptcies, liens, judgments and evictions.
• Court Ventures owner Robert Gundling sued Experian in October 2013, saying the provider of consumer credit information owed him $2.3 million that was put into escrow when he received $16 million for the transaction. Experian filed a countersuit in February, saying it had withheld those funds because Gundling did not fulfill the terms of the original contract. It accused him of providing misleading information about his business, including details about ties with SG Investigators (NGO).
• According to Experian there has not been a single case of fraud reported as a result of their breach. At the same time, we have learned the suspect sold personal identification data to over 1,600 people with damages estimated to exceed tens of millions of dollars. See Senate hearing on 12/18/2013 video here: http://www.commerce.senate.gov/public/index.cfm?p=HearingsandPressReleases&ContentRecord_id=a5c3a62c-68a6-4735-9d18-916bdbbadf01&ContentType_id=14f995b9-dfa5-407a-9d35-56cc7152a7ed&Group_id=dcb92227-73d9-4ff2-a610-9f43df72faa5
• During this same hearing, Tony Hadley of Experian said they know who was affected by the breach and were going to protect them. Yet, as of April 7th 2014  we know of no action taken to notify those affected since Experians breach was discovered by the Secret Service in December of 2012.

From what we can tell this technically was not a “data breach”. A data breach is defined as unauthorized access, and Court Ventures (now Experian) clearly approved access, allowed continued access for many months, failed to monitor usage, and then failed to notify the victims despite our continued urging. While not technically a “breach”, this conduct certainly warrants attention and corrective action.

The Secret Service is applauded for their detection and apprehension of the suspect in this case. This is a major milestone in letting identity thieves everywhere know that they can and will be prosecuted to the fullest extent of the law no matter where they try to hide.

For additional information regarding this matter we recommend contacting Experian at:

Experian PLC
475 Anton Blvd.
Costa Mesa, CA 92626
Gerry Tschopp

Respectfully,

M. Martin, CEO

Even if you want to argue, as Martin does, that the access was to Court Ventures’/Experian’s service, and not his, his database provided the data. Can a company just outsource its responsibility to protect consumer data and essentially claim “They approved him, they let him access their service, and therefore it’s all on them” – even though their database and service provided the data that the criminal resold to others for misuse?”

What do you think of Martin’s analysis and claims?