In March 2012 Experian acquired Court Ventures as a subsidiary company to add to its data broker and analytics space. Court Ventures is a company that collects and aggregates information from public records; i.e. court records that contain limited personally identifiable information, as well as information collected from other companies with agreements to share information between one another.
One of the companies that Court Ventures had such a contract with was U.S. Info Se
arch. This contract was in place at the time Experian made the purchase of Court Ventures. The contract between Court Ventures and U.S. Info Search allowed Court Ventures’ customers to have access to U.S. Info Search’s data base to find the address of a person to determine which court records to search.
Approximately ten months after Experian acquired Court Ventures, the U.S. Secret Service contacted Experian to inform them that Court Ventures had been and was presently reselling information from a U.S. Info Search data base to a customer who was likely committing illegal activities with the data. The Court Ventures customer turned out to be a Vietnamese man named Hieu Minh Ngo who was posing as a private investigator from the United States. Ngo continued paying for his customer data searches from Court Ventures with wire transfers from a bank in Singapore for as many as ten months after Experian had acquired Court Ventures.
After being notified of the ongoing investigation Experian discontinued reselling U.S. Info Search’s data to Hieu Minh Ngo and cooperated fully with the Secret Service in their investigation. It was later determined that Ngo was a 25 year old Vietnamese man operating an ID theft service under various names such as Superget.info and findget.me. Ngo confessed his crimes to the U.S. authorities which included running a service that sold packages of consumer data that other hackers could use to commit identity theft with from the illegally accessed data victims information.
According to the indictments against Ngo and subsequent convictions the IRS confirmed 1,300 U.S. taxpayers whose stolen information was sold on Ngo’s websites were the victims of identity and taxpayer identity fraud. The filing of the identity theft victim’s false tax returns amounted to 65 million dollars in phony return payments. The Justice Department has said Ngo made more than 2 million dollars from selling stolen data on his hacker websites. As part of a plea deal, a judge in New Hampshire sentenced Ngo to 13 years in prison for the cyber crimes he committed.
Shortly after Ngo’s conviction, a class action suit was filed against Experian on behalf of the victims whose identity was stolen seeking damages for Experian’s alleged violations of the Fair Credit Reporting Act, as well as other statutory violations.
Experian has denied all culpability in the crimes and posted a statement trying to present their side of the events, not all of which have proved to be accurate, including reports that the total number of hacked accounts reached 200,000,000. Below is a portion of their statement explaining what Experian is doing:
In terms of notifying consumers, Experian does not know which consumers’ information was disclosed as the data did not come from an Experian database and no other information now available to Experian would identify which consumers should be notified. Experian has engaged U.S. Info Search to determine whether it is possible to identify the consumers who actually have been affected. Those efforts have not yet produced a reliable process for identifying consumers who appropriately should be notified but efforts are continuing.
This is a situation that Experian takes very seriously and we acknowledge the concern consumers may have about this illegal access. We are actively pursuing the facts and we are working with investigators to help uncover what records may have been affected.
You have our commitment.
Additional Resources About This Breach: