Mass. AG Probes Breach Tied to Experian

Two Other States Also Investigating the Incident
Mass. AG Probes Breach Tied to Experian

The Massachusetts attorney general has launched an investigation into a data breach involving a subsidiary of Experian that resulted in the compromise of as many as 200 million records. Attorneys general in Illinois and Connecticut earlier announced similar investigations (see: Experian Tied to Breach Investigation).

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

"Allegations that companies have allowed criminals to purchase personal information of consumers are extremely troubling," says Martha Coakley, the state's attorney general, in an April 22 statement announcing the investigation. "We are especially concerned about allegations that the companies may have known of this incident for over a year, while not reporting it so consumers could protect themselves."

Coakley's office has been in contact with both Experian and U.S. Info Search - a separate entity not affiliated with Experian that's also allegedly involved in the incident - to review the circumstances of the breach. The attorney general's office will investigate whether both companies had proper safeguards in place to protect consumers' personal information from unauthorized use or disclosure, and to ensure that the companies take all steps necessary to protect consumers from this breach.

The Investigations

The three attorneys general investigations are probing a data breach involving a subsidiary of Experian, Court Ventures, that apparently provided personal information to an individual who used the data for criminal activity.

In responding to the breach investigations, Gerry Tschopp, a spokesman for Experian, said earlier: "No Experian database was accessed. The data in question have at all relevant times been owned and maintained not by Experian, but by a company called U.S. Info Search." U.S. Info Search provides data to U.S. companies, government agencies and legal industry professionals.

Tschopp said Experian purchased the assets of Court Ventures, a company that collects and aggregates information from public records and that formerly also sold data from U.S. Info Search. For more than a year before the acquisition by Experian, Court Ventures sold personal data from U.S. Info Search to Hieu Minh Ngo, Tschopp said. Ngo, a Vietnamese man, last month confessed in U.S. District Court in New Hampshire to running an underground website that offered clients access to personal data of Americans, including Social Security numbers, according to a news report from Reuters.

Federal authorities said Ngo, posing as a Singapore-based private investigator, obtained Social Security numbers through Court Ventures, according to Reuters. Prosecutors said Ngo and other associates used Court Ventures to make some 3.1 million queries of the U.S. Info Search database over an 18-month period, Reuters reported.

Some news reports are claiming that 200 million records were exposed to Ngo. But Tschopp contended that the size of the U.S. Info Search database may be 200 million, "[but] that does not mean the total number of records were accessed."

Experian discontinued Court Ventures' sale of U.S. Info Search data immediately upon learning of the Ngo incident and worked closely with law enforcement to bring Ngo to justice, Tschopp said.

"We are treating the matter seriously and have filed a lawsuit against the former owners of Court Ventures for permitting the sale of U.S. Info Search's data to Ngo, and intend to hold those individuals fully responsible for their conduct in establishing access to the data for an identity thief unbeknownst to Experian," Tschopp said.

The incident is also described in a blog on the Experian website.

Ngo was charged in a 15-count indictment in October 2013 with conspiracy to commit wire fraud, substantive wire fraud, conspiracy to commit identity fraud, substantive identity fraud, aggravated identity theft, conspiracy to commit access device fraud and substantive access device fraud, according to the Justice Department.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.