Big-three credit bureau Experian is the target of a class-action lawsuit just filed in California;
The suit alleges that Experian negligently violated consumer protection laws when it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves.
The lawsuit comes just days after a judge in New Hampshire handed down a 13-year jail sentence against Hieu Minh Ngo, a 25-year-old Vietnamese man who ran an ID theft service variously named Superget.info and findget.me.
Ngo admitted hacking into or otherwise illegally gaining access to databases belonging to some of the world’s largest data brokers, including a Court Ventures " a company that Experian acquired in 2012.
He got access to some 200 million consumer records by posing as a private investigator based in the United States, and for nearly ten months after Experian acquired Court Ventures, Ngo continued paying for his customers’ data searches via cash wire transfers from a bank in Singapore.
Ngo’s service sold access to “fullz,” the slang term for packages of consumer data that could be used to commit identity theft in victims’ names. The government says Ngo made nearly $2 million from his scheme.
According to the Justice Department, the IRS has confirmed that 13,673 U.S. citizens, whose stolen personal information was sold on Ngo’s websites, have been victimized through the filing of $65 million in fraudulent individual income tax returns.
The class action lawsuit, filed July 17, 2015 in the U.S. District Court for the Central District of California, seeks statutory damages for Experian’s alleged violations of, among other statutes, the Fair Credit Reporting Act (FCRA).
The plaintiffs also want the court to force Experian to notify all consumers affected by Ngo’s service; to provide them free credit monitoring services; to disgorge all profits made from Ngo’s service; and to establish a fund (in an amount to be determined) to which victims can apply for reimbursement of the time and out-of-pocket expenses they incurred to remediate the identity theft and fraud caused by customers of Ngo’s ID theft service.
Experian’s Tony Hadley, addressing the Senate Commerce Committee in Dec. 2013.
“The Security Lapse notice, as well as the above referenced protections, also will fulfill the promise made to Congress byTony Hadley, Experian’s Senior Vice President of Government Affairs and Public Policy, that ‘we know who they [the Security Lapse victims] are, and we’re going to make sure they’re protected’,” the complaint states. For more on Experian’s contradictory statements before Congress on this breach, see this March 2014 story.
Experian did not respond to requests for comment on the lawsuit, and it has yet to respond to the claims in court. A copy of the complaint is here (PDF). Incidentally, Experian and the former owner of Court Ventures are currently suing each other over which company is at fault for Ngo’s service.
For additional stories related to Ngo’s service and his hundreds of criminal customers, check out this series. For more on what you can do to avoid becoming an identity theft victim, please see this story.
Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of stories for washingtonpost.com and The Washington Post newspaper, including eight front-page stories in the dead-tree edition and a Post Magazine cover piece on botnet operators. He was recently profiled in Business Week and by Poynter.org.
www.krebsonsecurity.com
