A portion of the indictment charging Hieu Minh Ngo. Click on the image to read the document in PDF.
An investigation of an alleged Vietnam-based identity theft ring has dragged in the credit reporting firm Experian and rekindled a congressional effort to force companies to reveal how they use Americans’ personal and financial data.
The scam, revealed in an indictment unsealed on Friday, allegedly resulted in the theft of data for 500,000 Americans, information which was then posted for sale on websites, including superget.info and findget.me. But the indictment made no mention of the source of the data.
Security expert Brian Krebs uncovered that detail and reported on it Sunday. In a post at KrebsOnSecurity.com, he said the conspirators bought the information from a company called Court Ventures by posing as private investigators. Court Ventures, purchased in March 2012 by California-based Experian, had obtained the information through a data-sharing agreement with USInfoSearch.com, he wrote.
In a statement to Krebs, Experian said the Secret Service had notified it that “Court Ventures had been and was continuing to resell data from US Info Search to a third party possibly engaged in illegal activity.” Experian said it then stopped reselling the data from USInfoSearch.com and worked with law enforcement to catch the crooks.
“Experian’s credit files were not accessed,” the statement said. “Because of the ongoing federal investigation, we are not free to say anything further at this time.”
That response didn’t satisfy Sen. Jay Rockefeller, D.-W.Va. As chairman of the Senate Commerce Committee, he sent a letter to Experian President Donald Robert on Wednesday asking for details on Court Ventures’ involvement in the case, including the dates on which its sales to the alleged conspirators began and when they ended. Those dates could be important if the sales continued after Experian bought Court Ventures.
Krebs quoted USInfoSearch.com CEO Marc Martin as saying the sales did continue for nearly a year after Experian acquired Court Ventures, citing a conversation he had with an unidentified Secret Service agent.
Martin also told Krebs that the Secret Service told him that the superget.info conspirators paid Court Ventures’ monthly data access charges with wire transfers through Singapore and wondered why such a payment method didn’t raise red flags.
The case has similarities to the 2005 ChoicePoint case, one of the first big thefts from a major data broker, technology columnist Bob Sullivan said. That case, first revealed by Sullivan, involved the theft of information from more than 160,000 people. ChoicePoint paid $15 million to settle Federal Trade Commission charges that it failed to protect consumers' data.
Rockefeller’s letter, first reported in The New York Times, is the senator’s latest effort to get big data companies like Experian to divulge what they’re doing with Americans’ personal and financial information. Two weeks ago, Rockefeller sent letters to nine such companies, asking them to respond by Nov. 2 to detailed questions on collection and security of the data.
Then came news last week of the indictment and the Krebs report.
“If these recent news accounts are accurate,” Rockefeller said in his latest letter to Experian’s Robert, “they raise serious questions about whether Experian as a company has appropriate practices in place for vetting its customers and sharing sensitive consumer data with them.”
Experian and Rockefeller did not respond to NBC News requests for comment.
More from NBC News Investigations:
- Romanian ring that targeted online car buyers in US is broken up
- Two killings do not a trend make; homicides remain rare in schools
- Prosecutors seek to maintain tight restrictions on Tsarnaev
Read and vote on readers' story tips and suggested topics for investigation or submit your own.