When the Justice Department announced last week that it had indicted a Vietnamese national for allegedly masterminding an identity theft marketplace, it left out a crucial detail — where suspect Hieu Minh Ngo obtained the data dossiers he sold on 500,000 victims during a five-year crime spree. Thanks to security expert Brian Krebs, we now know. Ngo didn’t hack or barter for the incredibly complete sets of personal information he sold, known as “fullz” in the computer underground. Krebs says during he purchased the data from a data brokerage company named Court Ventures that was acquired by credit bureau Experian in 2012.
Ngo tricked Court Ventures into selling him the incredibly sensitive information by posing as a legitimate U.S. private investigator, and he continued to purchase the data even after Experian acquired the firm, Krebs says.
Data stolen by Ngo included a person’s name, date of birth, social security number, bank account number and bank routing number, and other payment information, such as card number, expiration date, card verification value number, account holder name, account holder address and phone number, according to the Justice Department.
The data was then sold to criminals at websites with names like SuperGet.Info; they could buy “fullz,” or could ask for specific pieces of information they needed to fill out profiles they’d already compiled.
Krebs story suggests that Experian should have suspected it was selling data to a criminal because “the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.”
Ngo’s indictment lists dozens of e-mail exchanges referencing package deals for the valuable information. The data — and the credit of consumers behind it — was sold on the cheap.
“I see you as a big customer at findget.me. If you want to have a big deal with us, please let us know. Currently we have some big plans for users like you.. $5000 for 22,000 credits. $10,000 for $50,000 credits,” one e-mail said. Then, underscoring the professional nature of the operation, the writer claims to offer excellent customer service: “With fully 24/24 hours support from admin if you have any issues. Thank you.”
In a statement to Krebs, Experian said that no credit bureau files were accessed, and that it stopped reselling Court Ventures data to Ngo after it was notified of the ongoing alleged crime by the U.S. Secret Service. It’s unclear how much of the data was acquired under Experian’s watch; the firm acquired Court Ventures in March 2012, and the indictment says Ngo allegedly purchased the data through at least June 2012.
The scheme calls to mind one of the first major data broker thefts, disclosed in 2005, which targeted ChoicePoint.com. In that incident, a Nigerian identity theft mastermind created at least 50 fake businesses and gained access to ChoicePoint files, then acquired data on hundreds of thousands of U.S. consumers. After similar incidents at other data warehouse firms, brokers instituted tougher credential procedures designed to stop their data from flowing to criminals.
But this SuperGet.Info incident shows that it’s not easy for firms with treasure troves of consumer information to ensure they know who they’re selling to.