Trot on over to KrebsOnSecurity.com, where Brian’s connecting the dots between a number of criminal prosecutions and Ngo, the Vietnamese national who posed as a Singapore investigator to get a Court Ventures account that gave him access to reports in U.S. Info Search’s database. Experian subsequently acquired Court Ventures, and Ngo’s account was allowed to continue until Experian was notified of the criminal activity.
And with this post of his, Brian has added another strong refutation to any claims that there’s no evidence of identity theft or misuse of the data.
But who is notifying all those affected and who will be held accountable for this breach?
As noted previously on this blog, there’s been a lot of finger-pointing. But while Experian and U.S. Info Search are pointing fingers at each other, and while state attorneys general are investigating, it appears consumers still haven’t been notified by any of the firms involved.
DataBreaches.net reached out to Experian to inquire whether there was anything new in terms of agreement between U.S. Info Search and Experian as to who would notify those affected, but a spokesperson said there was nothing new to report on that front.
And that’s something state attorneys general should keep in mind when looking into this whole mess. What does their state law say about who is responsible to notify consumers – the owner of the database where the consumer information resided or the company whose clients improperly accessed that database?