10/21/2013 Court Ventures (now owned by Experian)
a business other than retail in Anaheim, California
200,000,000 financial accounts compromised
The Experian acquired subsidiary Court Ventures in March of 2012. Unauthorized parties purchased information from Court Ventures and US Info Search, a contractually connected business partner. Consumer Social Security numbers, driver’s license numbers, bank account information, dates of birth, and credit card data were given to foreign criminals posing as a legitimate private investigator for over a year. The information was then resold to Superget.info, Findget.met, and possibly other underground cybercrime sites.
UPDATE (3/10/2014): Last week, Hieu Minh Ngo, a Vietnamese national pled guilty to running an identity theft ring out of his home in Vietnam. Last year the Secret Service created a sting operation that lured him to U.S territory where they arrested him. Mr. Ngo posed as a private investigator and created a contract with Court Ventures, paying for access to consumer records and a larger database through US Info Search. Ngo was able to acquire Social Security data, dates of birth and other records on more than 200 million Americans. Very little information regarding the scam was released until last week. Officials stated Ngo had devised numerous schemes including filing fraudulent tax returns, opening new lines of credit, as well as making charges on victims accounts. Ngo’s theft ring was paid a minimum $1.9 million dollars between 2007 and February 2013 for the stolen information and made approximately 3.1 million queries on Americans. Source
The 15 count indictment was filed 11/14/2012 in US vs Hieu Minh Ngo (a/k/a “hieupc,”) and John Doe One (a/k/a “rr2518” and “Wan Bai”) in the US District Court for the District of New Hampshire 12-CR-144-01/02-PB (20 page PDF)
According to the indictment the exposed personally identifiable information (“PII”) could include individuals’ names, addresses, social security numbers, dates of birth, places of work, duration of work, state driver’s license numbers, mothers’ maiden names, bank account numbers, bank routing numbers, e-mail account names, and other account passwords. For charge card data the data typically includes the payment card number, expiration date, Card Verification Value (“CVV”) number, account holder name, account holder address, and phone number.
The 3/3/2014 plea agreement transcript in US vs. Hieu Ngo in US District Court for the District of New Hampshire 12-CR-144-01-PB (30 page PDF)
Update (3/19/2014) A superceding indictment was filed in the US District Court, District of New Hampshire in US vs Oluwaseun Adekoya in case 1:13-cr-098-JL charging that between February 2012 and February 2013, he sought personally identifiable information which can include names, addresses, social security numbers, birth dates , work history, driver’s license numbers, mothers’ maiden names, bank account numbers, bank routing numbers, e-mail account names, and other account passwords. The seller was an undercover agent in New Hampshire. (9 page PDF)
Update (3/30/2014) Experian posted The Facts on Court Ventures and Experian. As of 9/20/2014 there were zero comments.
Update (4/03/2014) more to the story from security researcher Brian Krebs as to how several states in addition to New Hampshire are investigating the massive compromise of personally identifiable information.
Update (4/04/14) Interesting explanation on Experian suing Court Ventures and vice-versa per Court Ventures v. Experian filed in Superior Court of California in Orange County.
Update (4/05/2014) Brian Krebs fact checks Experian’s explanation from 3/30/2014 above
isn’t terribly important to you?
Update (4/21/2014) Lance Ealy
Read about Lance Ealy whose information was compromised in the massive Experian breach. Ealy, from Dayton, Ohio was charged 10/28/2013 in US vs Lance Ealy case 3:13mj471 in the US District Court for the Southern District of Ohio (9 page PDF)with one count of fraud. He protested he was a victim of identity theft. His original single count indictment was superseded on 4/10/2014 by a 42 count indictment (12 page PDF)
Was Ealy the victim as he claims? Or, was he a client of the Ngo as the government appears to believe? Either way, could it happen to you?? (see 11/18/2014 update below)
Update (5/19/2014) Multiple pleas of guilty
Several person in the New York / New Jersey area have pled guilty to various crimes using data from the Experian breach. Some named Ngo as their source. More at Krebs on Security
Here is the 3/31/2014 guilty plea in US vs. Idris Soyemi case 13-cr-96-01-PB in United States District Court in the District of New Hampshire. (18 page PDF)
Here is the 5/02/2014 guilty plea US vs. Adebayo Adegbesan case 13-cr-110-01-pb in United States District Court in the District of New Hampshire. (21 page PDF)
Update (11/18/2014) Re Ealy
A jury in Ohio convicted Ealy on 46 charges including aggravated identity theft, and wire and mail fraud for filing at least 179 federal tax refund requests. To do that he opened bank accounts to receive, then withdraw, thousands of dollars in IRS “refunds”. While on trial Ealy may have continued to steal identities. He was in court on Friday 14, 2014, but during the weekend he apparently slipped out of his electronic monitoring device and fled.
Update (3/18/2015) Ealy Caught
Lance Ealy was apprehended in Atlanta, Georgia four months after fleeing Ohio and being tracked by the United States Marshals Service SOFAST task force.
While still a fugitive, Ealy filed (30 page PDF filed 11/26/2014) pro se and also in absentia citing bias and three rule violations by the court and moving for a retrial. The prosecutors responded (58 page PDF filed 2/09/2015). While still a fugitive Ealy quickly filed a response (18 pages PDF filed 2/12/2015)
Sources: Krebs on Security and WDTM Channel 2 of Dayton Ohio
Update (7/15/2015) Hieu Minh Ngo Sentenced
Having exposed information on 200+ million Americans, Hieu Minh Ngo has been sentenced to 13 years in a U.S. Prison after a plea agreement in early 2014. He could have received more than 20 years, but cooperated with authorities. He was responsible for improperly purchasing information from Court Ventures (acquired by Experian in 2012) and US Info Search then selling it to more than 1,300 others who used that information in a wide variety of financial crimes. There was apparently no consequence for the firms that sold the information in the first place. (Sources: Daily Mail UK KrebsOnSecurity)
Update 7/21/2015 Class Action
A class action lawsuit filed 7/17/205 in the U.S. District Court for the Central District of California, alleges Experian was negligent and “violated consumer protection laws when it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves.” (Krebs on Security) A copy of the complaint (38 page PDF)
From paragraph 39 of the complaint
According to the Federal Trade Commission (“FTC”), “the range of privacy – related harms is more expansive than economic or physical harm or unwarranted intrusions” and “any privacy framework should recognize additional harms that might arise from unanticipated uses of data. (source for the quote FTC Report, Protecting Consumer Privacy in an Era of Rapid Change from March 2012 (112 page pdf))
Case 8:2015cv01142 docket
Return to 2013 details page
Year links page
Return to References page