How an identity thief tricked data brokers into giving up 200 million consumer records

For a company that peddles secrets, data broker Experian sure sucks at keeping them.  

 

Kate Knibbs

Tech

Published Mar 11, 2014   Updated May 31, 2021, 3:48 pm CDT

Alcoholism. A taste for weird porn. Credit card debt. Bulimia.

Data brokers are compiling information on you, from your marital status to whether you’ve ever purchased a sex toy. That’s bad enough, but what’s worse: This information is spectacularly insecure.

What if your secrets became public knowledge, something a future employer could look up along with your scrubbed-clean LinkedIn profile?

It sounds like the premise of some action movie set in a dystopian future but this is, without embellishment or hyperbole, real life. Data brokerage companies are amassing dossiers on people based on what their digital lives, and selling this information—which can include stuff you’d never want to be made public or given to strangers. This industry of personal data collection is incredibly lucrative; according to Sen. Jay Rockefeller IV (D-W.Va.), private data brokers made more than $156 billion in 2012.

It gets worse: Security researcher Brian Krebs has posted new details about an investigation he conducted in 2013 that revealed an identity thief accessed 200 million consumer records from Experian, one of the three largest data brokerage firms in the U.S.   

Add this to the fact that last week, 24-year-old Vietnamese national Hieu Minh Ngo pled guilty to operating an identity theft service. Ngo was arrested by U.S. Secret Service agents in Guam in a sting set up by luring him into U.S. territory by setting up a fake, huge deal with data brokers.

But Ngo had already set up successful deals with data brokers by posing as a private investigator from Singapore. He tricked a subsidiary of Experian called U.S. Info Search into giving him access to their information. According to Krebs, Ngo made at least $1.9 million giving clients information like social security numbers, email addresses, and other sensitive data—and these clients turned around and used the information to steal identities and rack up huge credit card bills. A transcript obtained by KrebsOnSecurity allegedly shows that Ngo’s data-thief customers made 3.1 million inquiries to get this data. This isn’t the minor leagues. Ngo sold what are known as “fulls,” or full packets of information, enough to pull a thorough identity theft. He did it with information that came to him from Experian.

Ngo’s “fulls” contained enough information for the thieves he sold to file fraudulent tax returns and commit ATM fraud, but they didn’t contain the type of surprising personal information discussed earlier, like membership in AA or sex toy purchases. So these are two separate issues: One, the data broker industry is tracking digital behavior to an unconscionable degree, and two, even the basic information they collect, like addresses, are not secured and have been proven to fall into the hands of identity thieves. The entire system is shadier than a mango grove in a cave.

The U.S. Senate held hearings about data brokers in 2013 and addressed Experian’s security issues, but the company continues to traffic in personal information. In fact, despite legislative scrutiny, Experian is in charge of verification services for Healthcare.gov. This means a website run by the United States government is facilitating information collection by a data brokerage company that recently leaked stuff like SSNs and employment histories for 200 million U.S. citizens.

“They know if you have diabetes or suffer from depression. They know if you smoke cigarettes. They know your reading habits, your browsing habits. They know how much you and your family members weigh. They may even know how many whiskey drinks you have consumed in the last 30 days,” Sen. Rockefeller said during the hearings. “Under current laws, we have no right to see these pictures of ourselves that these companies have created.”

Julia Angwin at ProPublica compiled a list of data brokers and whether they offer an opt-out option, and Experian does have a method of opting out, but it’s not clear how comprehensive it is. Experian did not respond to Daily Dot’s request for comment.

Ngo is likely going to jail; he has pled guilty and will be sentenced in June. And while he is obviously a major player in this identity theft ring, is he really the only party culpable? It wasn’t exactly difficult information for him to steal. Experian left the back door unlocked for the personal information of millions of people. It should be held accountable for what is grossly negligent security.

Even if Experian is held accountable, it is just one of many data brokers operating under a veil of operational opacity. And it’s altogether too difficult to opt out of having personal information collected—which makes it even more disturbing that this information can get collected and then stolen.

“The data broker market needs more transparency and consumer empowerment: we the users need a better idea of who’s collecting our information, how much they’re collecting, and how to edit the data or opt out,” Adi Kamdar, an activist at the Electronic Frontier Foundation, told the Daily Dot. “There have been proposals for a centralized opt out service, perhaps maintained by the FTC, that would be very nice to have. One of the biggest obstacles, however, is knowing just how many data brokers are out there, let alone getting them to comply in the first place.”

H/T Krebs On Security | Illustration by Jason Reed 

Share this article
*First Published: Mar 11, 2014, 3:43 pm CDT