Brian Krebs writes:
In October 2013, KrebsOnSecurity published an exclusive story detailing how a Vietnamese man running an online identity theft service bought personal and financial records on Americans directly from a company owned by Experian, one of the three major U.S. credit bureaus. Today’s story looks deeper at the damage wrought in this colossal misstep by one of the nation’s largest data brokers.
Read more on KrebsOnSecurity.com. As a side note, Brian uploaded the transcript of the court hearing where Hieu Minh Ngo, a Vietnamese national, pleaded guilty in U.S. District Court in New Hampshire to three charges. It’s a fascinating read for the judge’s meticulous concern to establish that there were no language problems that impaired Ngo’s ability to understand the charges, the process, or his rights. The judge also spent a lot of time exploring Ngo’s statement in court that he had a long history of mental illness and suffered from hearing voices, but the voices were not relevant to his actions, decisions, or ability to decide to plead guilty.
Overall, I think it’s clear from Brian’s outstanding coverage that the problem may have started with US Info Search and Court Ventures not doing their due diligence to keep bad actors out of their databases, but once Experian purchased Court Ventures, it became Experian’s responsibility. And thinking back over all the numerous breach reports I’ve read involving Experian’s database, I’m now wondering how many of the “someone was able to authenticate as you” breach notifications were linked to data acquired through the Ngo’s criminal activities and those of his customers.
In the meantime, I continue to watch and wait to see if the FTC does anything about the complaint I filed against Experian in April 2012 based on what is now more than 100 breaches where clients’ login credentials have been misused to access consumers’ credit reports. While that type of breach may seem somewhat different than a breach in which someone attempts to access credit reports by posing as the named consumer, both types of breaches result from the failure to have adequate authentication standards in place – the same type of failure that enabled Ngo’s customers to access so many credit reports.
Experian has claimed it will protect those whose data were stolen by Ngo’s customers. If it protects them with their own product – a product that only monitors their own credit report database and not Equifax or TransUnion – that might be small comfort to the millions of Americans whose detailed histories may already be in the hands of criminals.