Jim Finkle of Reuters reports:
U.S. attorneys general have launched a multi-state investigation into a breach in which criminals gained access to a repository of some 200 million social security numbers through a unit of data provider Experian Plc.
“We are investigating,” said Maura Possley, a spokeswoman for Illinois Attorney General Lisa Madigan. “It’s part of a multi-state investigation.”
Jaclyn Falkowski, spokeswoman for Connecticut Attorney General George Jepsen, said that Connecticut is looking into the matter also.
Read more on Reuters.
This is, of course, the US InfoSearch/Court Ventures breach originally disclosed by Brian Krebs and discussed elsewhere on this blog. Experian acquired Court Ventures in March 2012, but the criminal behavior reportedly continued for another 9 months until the Secret Service informed Experian what was happening. Experian subsequently acknowledged in testimony to Congress that they had dropped the ball on due diligence when they acquired Court Ventures. They also assured, Congress, however, that they would protect the individuals who were impacted by the Court Ventures breach. So far, however, I have found no reports by Experian stating that they have either sent notification letters or offered free credit monitoring to those whose data were acquired because Court Ventures (and then Experian) allowed a criminal to open an account that gave him access to US InfoSearch’s database under a reciprocal agreement.
Update: Okay, after I first posted this, Reuters replaced the original brief story with one with more details. The fuller version helps explain why there has been no notification of affected individuals yet:
Officials with both Experian and U.S. Info Search say they have not been able to ascertain which records were accessed by Ngo’s customers and are therefore unable to notify victims.
So… because of an arrangement U.S. InfoSearch made with Court Ventures that continued under Experian’s ownership, no one can figure out whose data were accessed? Are the companies going to be allowed to get away with that or will they pay a price for that failure to maintain logs sufficient to provide that information?