LOS ANGELES (CN) – A federal class action claims Experian sold confidential consumer information to a Vietnamese fraudster who resold it to other crooks, in one of the largest ID theft security lapses in U.S. history.
Maudie Patton and two other named plaintiffs – from Oregon, New Mexico and Ohio – sued Experian Data Corp. on July 17.
They claim Experian sold millions of citizens’ credit information and Social Security numbers to Hieu Minh Ngo, a 25-year-old man who ran the identity-theft services Superget.info and findget.me. The lawsuit describes Ngo as a “convicted identity thief, black market PII [personally identifiable information] trafficker, and computer hacker.”
Ngo, a Vietnamese national, was arrested and charged in a 15-count indictment in New Hampshire in 2013. He was sentenced on July 14 this year to 13 years in prison.
Experian in 2012 purchased Court Ventures (CVI), which had contracted with Ngo, a self-described private investigator from Singapore using the alias Jason Low and doing business as SG Investigators, for access to its U.S. consumer databases, according to the lengthy lawsuit.
“Experian sold plaintiffs’ and class members’ highly sensitive, confidential, and regulated consumer, financial, and personal records and information, including consumer credit information and social security numbers (collectively, ‘PII’) to an identity thief who also sold PII to other identity theft criminals,” the 38-page complaint states.
Ngo sold and gave access to the data to 1,300 other fraudster customers, “who themselves are identity thieves,” and who paid him $2 million for the information, the plaintiffs claim.
Ngo and his co-conspirators offered several categories of PII, depending on how recently the data had been acquired, charging more for recent data. Ngo’s websites also sold “fullz,” fraudster slang for a complete collection of an identity theft victim’s PII, the complaint states.
Lance Ealy, “one of Ngo’s fraudster customers,” used victims’ information to file fraudulent income tax returns in their names and commit other identity thefts and fraud, according to the lawsuit.
Ealy, who made an unsuccessful run for Ohio governor, was convicted in November 2014 of 46 counts of wire fraud and identity theft, according to the complaint. He had gone on the lam but was caught after tweeting a taunting selfie and – unwisely – trying to file legal documents electronically, at least one of them in response to prosecutors who were looking for him, according to the KrebsOnSecurity website.
Patton claims in the lawsuit that Ealy filed a false tax return in her name and in the names of 175 other people.
Another “fraudster customer” of Ngo, Idris Soyemi, pleaded guilty to wire fraud in March 2104, according to the complaint. It cites a plea hearing in which prosecutors said Soyemi bought “dozens, if not hundreds” of IDs from Ngo, to commit credit card fraud and bank fraud.
“The security lapse is one of the largest data security lapses involving wrongfully disclosed and compromised PII in the history of the United States,” the complaint states.
Patton says Experian should have done its due diligence before buying CVI. Had it done so, she says, Experian would have learned “several facts that should have alerted it that CVI engaged in, and was connected to, unauthorized and unlawful activity.”
CVI told Experian that “virtually all” of the data it sold was publicly available criminal history information and thus unregulated, the plaintiffs claim.
“But, Experian later learned prior to the purchase that CVI, in fact, accessed certain personal information and, therefore, was subject to regulation,” the complaint states. “Prior to acquiring CVI, Experian learned that CVI misrepresented its regulatory compliance regarding such information.”
Nor did Experian investigate SG Investigators, Ngo’s company and CVI’s largest buyer of consumer PII, according to the complaint.
“Experian would have discovered Ngo’s illegal identity fraud enterprise utilizing CVI’s consumer PII databases, and shut it down,” the complaint states. “Experian, however, intentionally or with reckless disregard failed to do so, stood willingly by, facilitated the illicit operation, and reaped the financial benefits of the acquisition of CVI for another ten months.”
Leslie Caldwell, assistant attorney general of the Justice Department’s Criminal Division, called Ngo’s actions a “low-risk, high-reward proposition.”
“Criminals buy and sell stolen identity information because they see it as a low-risk, high-reward proposition,” Caldwell said. “Identifying and prosecuting cybercriminals like Ngo is one of the ways we’re working to change that cost-benefit analysis.”
Acting U.S. Attorney Donald Feith of the District of New Hampshire lauded the Secret Service for identifying and capturing Ngo.
“This case demonstrates that identity theft is a worldwide threat that has the potential to touch every one of us,” Feith said.
Experian did not immediately respond to a request for comment.
Patton et al. seek class certification, disgorgement and punitive damages for violation of the Fair Credit Reporting Act and California’s unfair competition law.
They are represented by Timothy Blood with Blood Hurst & O’Reardon, of San Diego; Ben Barnow of Chicago; and Richard Coffman, of Beaumont, Texas.
- Patient Says Doctors Drained All Her Blood