Directive Blogs
How the Personal Information of 200 Million Users Wound Up on an Illegal ID Theft Service
You're likely familiar with the various ways that hackers can steal your identity, but you may not be familiar with how hackers anonymously buy and sell people's personal information to interested parties. This is done through online ID theft services and a December hearing before the U.S. Senate highlights how one service was selling personal records on more than 200 million Americans!
The ID theft service looked at by the Senate Committee on Commerce, Science, and Transportation was the website Superget.info. Based in Vietnam, the site was administered by 24-year-old Hieu Minh Ngo and contained millions of users' personal information like Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses, and other sensitive data.
KrebsOnSecurity reports that "Ngo's ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and February 2013." KrebsOnSecurity goes on to report that the site's customers extensively used the service with millions of queries:
The government alleges that the service's customers used the information for a variety of fraud schemes, including filing fraudulent tax returns on Americans, and opening new lines of credit and racking up huge bills in the names of unsuspecting victims. The transcript shows government investigators found that over an 18-month period ending February 2013, Ngo's customers made approximately 3.1 million queries on Americans."
How Did a Breach this Big Happen?
A stolen database this big is the result of a major breach with Experian, one of the three major U.S. credit bureaus. It turns out that this breach isn't the result of a direct hack, but rather Experian acquiring the information company Court Ventures. Founded in 2001, Court Ventures described itself as a firm that "aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.
Apparently, the Vietnamese proprietors running Superget.info gained access to Experian's databases by posing as a U.S.-based private investigator associated with Court Ventures. KrebsOnSecurity interviewed Marc Martin, CEO of U.S. Info Search, a data company that worked closely with Court Ventures and shared data with them, was interviewed about how Ngo was able to accomplish the con, and how red flags were given early on that should have alerted Experian.
While the private investigator ruse may have gotten the fraudsters past Experian and/or Court Ventures' screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, Martin said the Secret Service told him that the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.
Experian acknowledged the outline of Martin's explanation, and gave additional details to KrebsOnSecurity in a written statement:
Experian acquired Court Ventures in March, 2012 because of its national public records database. After the acquisition, the U.S. Secret Service notified Experian that Court Ventures had been and was continuing to resell data from U.S. Info Search to a third party possibly engaged in illegal activity. Following notice by the U.S. Secret Service, Experian discontinued reselling U.S. Info Search data and worked closely and in full cooperation with law enforcement to bring Vietnamese national Hieu Minh Ngo, the alleged perpetrator, to justice. Experian's credit files were not accessed. Because of the ongoing federal investigation, we are not free to say anything further at this time."
In March, Hieu Minh Ngo pleaded guilty to running an identity theft service out of his home in Vietnam after being arrested in Guam last year by U.S. Secret Service agents. In light of the Senate hearing and questioning of Tony Hadley, Experian's senior vice president of government affairs, details are coming to light as to the extent of this data breach, which includes revelations that the personal information of 200 million users that became vulnerable in this breach.
What Can You Do to Prevent Identity Theft?
In a case like this, there's nothing that you can do to prevent your data from being stolen from a major company like Experian. Upon finding out that your information is at risk from a scam like this, the only thing that you can do is damage control. To cover your butt, you can get new credit cards, change the passwords to your various online accounts, and closely monitor your financial statements. There are even various services that will do this monitoring for you and alert you to any fraudulent charges on your accounts or new credit applications in your name.
The world of data theft is seedy and involves hackers with international connections targeting your personal data. While you can't prevent your data from being stolen from a major company like Experian or Target (Target recently had the financial and personal data of 110 million shoppers stolen from them), you can take safety precautions to secure the data of your personal accounts and your business from direct attacks by hackers. Directive can help set you up with the strongest security solutions on the market, and walk you through the steps to take if your information is ever compromised. Give us a call at 607.433.2200 to learn more.
Quotes courtesy of krebsonsecurity.com.