Experian Tied to Breach Investigation
Subsidiary Alleged to Have Provided Info to CybercriminalInformation services firm Experian is responding to news that two states are investigating a breach involving a subsidiary that allegedly provided information to a cybercriminal, saying there's been "inaccurate information" circulating online.
See Also: Effective Communication Is Key to Successful Cybersecurity
In responding to the breach investigations, Gerry Tschopp, a spokesman for Experian, says: "No Experian database was accessed. The data in question have at all relevant times been owned and maintained not by Experian, but by a company called US Info Search." US Info Search provides data to U.S. companies, government agencies and legal industry professionals.
The Illinois and Connecticut attorneys general are investigating the data breach involving a subsidiary of Experian, Court Ventures, that apparently provided personal information to an individual who used the data for criminal activity.
Spokespersons for both attorneys general confirmed to Information Security Media Group their involvement in the investigation, although they declined to provide details.
Tschopp says Experian purchased the assets of Court Ventures, a company that collects and aggregates information from public records and that formerly also sold data from US Info Search. For more than a year before the acquisition by Experian, Court Ventures sold personal data from US Info Search to Hieu Minh Ngo, Tschopp says. Ngo, a Vietnamese man, last month confessed in U.S. District Court in New Hampshire to running an underground website that offered clients access to personal data of Americans, including Social Security numbers, according to a news report from Reuters.
Federal authorities say Ngo, posing as a Singapore-based private investigator, obtained Social Security numbers through Court Ventures, according to Reuters. Prosecutors say Ngo and other associates used Court Ventures to make some 3.1 million queries of the US Info Search database over an 18-month period, Reuters says.
Some news reports are claiming that 200 million records were exposed to Ngo. But Tschopp contends that the size of the US Info Search database may be 200 million, "[but] that does not mean the total number of records were accessed."
Experian discontinued Court Ventures' sale of US Info Search data immediately upon learning of the Ngo incident and worked closely with law enforcement to bring Ngo to justice, Tschopp says.
"We are treating the matter seriously and have filed a lawsuit against the former owners of Court Ventures for permitting the sale of US Info Search's data to Ngo, and intend to hold those individuals fully responsible for their conduct in establishing access to the data for an identity thief unbeknownst to Experian," Tschopp says. "We look forward to addressing this issue through proper legal channels."
The incident is also described in a blog on the Experian website.
Ngo was charged in a 15-count indictment in October 2013 with conspiracy to commit wire fraud, substantive wire fraud, conspiracy to commit identity fraud, substantive identity fraud, aggravated identity theft, conspiracy to commit access device fraud and substantive access device fraud, according to the Justice Department. He faces a maximum penalty of 42 years in prison.