Because the data were owned and controlled by U.S. Info Search, Experian says they are not responsible for notifying victims of a breach involving Court Ventures, a firm it acquired in 2012. So why does the media only have Experian’s name in the headlines?
Jim Finkle of Reuters recently reported that there is a multi-state investigation of the Court Ventures breach involving U.S. Info Search’s database, but investigators did not disclose much beyond acknowledging that they are investigating. I would assume that one of the issues they will investigate is why no affected consumers have been notified of this breach at all, much less in a timely fashion. And on that question, Finkle reports:
Officials with both Experian and U.S. Info Search say they have not been able to ascertain which records were accessed by Ngo’s customers and are therefore unable to notify victims.
Why haven’t they been able to ascertain this? In a statement to Brian Krebs, Marc Martin, CEO of U.S. Info Search pointed the finger at Experian:
“We have cooperated and assisted the authorities in their investigation and from the onset have urged Experian to make timely notifications,” Martin wrote in an email to KrebsOnSecurity. “In addition, Experian never notified us of the breach as required by state statute, and to date has not cooperated with our investigation, nor provided us with the queries the suspect ran.”
In email to DataBreaches.net, Martin had indicated that he had no way of knowing which inquiries were made by Ngo as U.S. Info Search’s logs only indicated Court Ventures’ IP address. It seems neither company has both pieces – search queries and search results – in their logs. For its part, Experian informed DataBreaches.net that it had provided its records on Ngo’s search queries to law enforcement in December 2012.
While Krebs fact-checked Experian’s talking points, his post did not incorporate any statement from Experian asking them to respond to Martin’s statements. Asked by DataBreaches.net, an Experian spokesperson responded:
The legal obligation to notify consumers is on the entity that owns and controls the data that was misappropriated – US Info Search. In fact, assuming it has preserved the records, only US Info Search has the ability to know what data was returned in response to Ngo’s inquiries. Neither Court Ventures nor Experian ever stored a record of the search results generated from the US Info Search database; however, US Info Search did store several months of the actual search results that could be used to determine which consumers had their personal information disclosed to Mr. Ngo. Experian made a specific written request to US Info Search to preserve those actual stored search results and we understand that US Info Search may not have preserved those stored search results as Experian requested.
As we’ve said, we are cooperating with all authorities to get all the facts. And again, assuming it has preserved the records, only US Info Search has the ability to know what data was returned in response to Ngo’s inquiries.
To those who have been following this case, it will be obvious that their statement today clearly contradicts Experian’s previous statement to Congress that they knew who the victims are and that they would protect them. In a phone call with Experian to follow-up on their statement above, an Experian spokesperson informed DataBreaches.net that Tony Hadley’s response to Congress was based on Experian’s policy of how they handle breaches involving consumer credit reports in their own database. Because this breach did not involve their database and their data, that policy did not apply and Hadley mis-spoke.
So Experian’s position is that U.S. Info Search is responsible for notifying all consumers whose information was acquired by Ngo – even after Experian acquired Court Ventures – because it is U.S. Info Search’s database.
I imagine the lawyers and state attorneys general will determine if Experian’s statement about responsibility is accurate, but a quick check of Connecticut’s statute (Connecticut is one of the states investigating the breach) begins:
Any person who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information, shall provide notice of any breach of security….
So Why is It Experian’s Name in the Headlines?
The public – as well as Congress and state attorneys general – first really became aware of this breach in October 2013 in an investigative report by Brian Krebs, “Experian Sold Consumer Data to ID Theft Service.” Brian followed up on the story with other reports, “Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records,” and “Fact-Checking Experian’s Talking Points.”
Not surprisingly, perhaps, given his widely cited reporting and Experian’s name recognition, almost all news stories about the Court Ventures breach do not name Court Ventures or U.S. Info Search in their headlines, but do name Experian:
Adding to the public’s perception that Experian may have a lot of responsibility for the breach – via its acquisition of Court Ventures and its failure to flag Ngo’s account despite overseas wire payments – consider this statement by Krebs in his first report:
U.S. Info Search CEO Marc Martin said the data sold by the ID theft service was not obtained directly through his company, but rather via Court Ventures, a third-party company with which US Info Search had previously struck an information sharing agreement.
While U.S. Info Search may not have been paid directly by Ngo and did not establish a direct subscriber relationship with him, it seems more accurate to report that while the consumer information being re-sold on Superget.info was not obtained through his company it was directly obtained from his database.
So Whose Breach Was It?
Experian did not come into this breach at all until March 2012. So weren’t Court Ventures and U.S. Info Search actually more responsible for the breach than Experian? And if so, why is it only Experian’s name in the headlines?
As Krebs reported and court records indicate, Hieu Minh Ngo was able to obtain an unconfirmed number of consumers’ personal information by using an account with Court Ventures to access U.S. Info Search’s database under a reciprocal access agreement. Court Ventures’ documents appended to their lawsuit against Experian over the escrow account show that Court Ventures and U.S. Info Search signed a data sharing agreement on April 9, 2010. Jason Low (Ngo) signed a data subscriber agreement with Court Ventures for SG Investigators on December 14, 2011. According to U.S. Info Search’s CEO’s statement to Krebs, it was Court Venture’s responsibility to ensure that its clients were “licensed and credentialed U.S. businesses.” To my knowledge, no one reporting on this breach has yet obtained a copy of their agreement to confirm that or question what U.S. Info Search did to check whether Court Ventures was meeting its contractual obligations on that. I am not accusing U.S. Info Search of not doing its due diligence, but merely pointing out that if you’re looking at Experian’s due diligence, shouldn’t you also be looking at U.S. Info Search’s?
And if you think – as I do – that Experian has responsibility when they fail to prevent criminals accessing their credit report database when criminals steal or misuse clients’ credentials, shouldn’t you also think U.S. Info Search has or should have some responsibility for criminals misusing their database via Court Ventures? Shouldn’t the media and investigators be asking hard questions of the two parties that were involved when the criminal activity started?
Fair is Fair
As a privacy advocate, I think there are plenty of good reasons to criticize Experian on data security involving its own credit report database (as I have pointed out numerous times on this blog), and I think it’s legitimate to raise questions about their due diligence and failure to flag an account making payments from overseas. But I do think Experian may actually be getting a bit of a bum rap on the Court Ventures breach when it’s only their name in the headlines and the breach started with Court Ventures and U.S. Info Search. Of course, the real responsibility for the theft of consumer information lies with Ngo and co-conspirator(s), but if state attorneys general are going to start imposing penalties, then I think that those more responsible for the original breach should carry the major part of the burden. But that’s just my opinion.
Yes, I know: me suggesting that Experian’s getting a bit of a bum rap may make regular readers of this blog wonder whether Hell just froze over. It hasn’t, but if I’m going to criticize Experian when I think they’ve done something wrong, I think it’s only fair that I point out when I think they may have been criticized unfairly when others have as much or more responsibility for a breach.