Experian Data Breach: Could Affect 200M Records

Is your personal identification information (PII) at risk?  

The answer is undoubtedly, yes! In today’s digital age, no one is exempt from a data breach, including Experian Information Solutions, Inc. (Experian), one of the three major credit bureaus in the U.S. A case in point is the story of Hieu Minh Ngo, a Vietnamese national, who managed to sell access to and expose records of more than 200 million Americans.

Ngo’s story:

On March 3rd, 2014, Ngo appeared in federal court and pleaded guilty to an array of charges including wire fraud, identity theft, and access-device fraud. In a story first reported by krebsonsecurity.com, he pulled off his crimes by “posing as a private investigator operating out of Singapore. Ngo contracted with Court Ventures, paying for his access to consumer records… Through that contract, Ngo was able to make available to his clients access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans.”

The U.S. Department of Justice  indictment against Ngo alleges that he not only granted access to the data base, but that he also “acquired, offered for sale, sold, and/or transferred to others packages of PII for more than 500,000 individuals. These packages, known as “fullz,” typically included a person’s name, date of birth, social security number, bank account number and bank routing number.” (USDOJ)

Over a period of 18 months, Ngo operated his business from his home in Vietnam and received more than 1.9 million dollars while his clients made more than 3 million queries in the database. The number of records actually retrieved by Ngo’s customers is unknown, but is suspected to be up to 30 million. (Krebs)

The connection to Experian:

It was during the period of Ngo’s activities that Experian purchased Court Ventures. Experian was unaware that Court Ventures had fallen victim to Ngo’s scheme. It is ironic that Experian did not do their due diligence before or after the acquisition of Court Ventures because they are in the direct business of helping other businesses avoid data beaches.   

What happens if you have a data breach or you are the victim of one?

From an analytical standpoint, a data breach is a matter of risk management, crisis management and public relations as well. Experian offers a Data Breach Response Guide for businesses.  They also offer credit monitoring services for individuals.

Advice from the Federal Trade Commission:

The Federal Trade Commission is a wealth of information for individuals. They offer practical advice for prevention of identity theft and actions to take if you become a victim. Their page includes:

• What to Do Right Away
• What to Do Next
• Address Specific Types of Identity Theft
• Protecting Your Identity: on paper, online, or on your computers and mobile devices.
• Sample Letters and Forms: to help write your own letters to limit damage caused by identity theft.

It seems only natural that we grow weary being diligent. However, we must control what we can. An appropriate quote from Experian’s web page, "The harsh reality is that our personal information is simply available in too many places to ensure a high level of security over a long period of time.”