Where news headlines are concerned, “Hackers gain access to company database and steal customer info” has become almost as common as “Local woman gives birth.” It happens all the time, so unless you're personally involved with one or more of the actors it probably doesn't concern you.
So anytime you read such a news article – whether about Target, Sally Beauty or any other company in existence – there's always a part which says “If you are a recent customer of this company, here's certain steps you must take to protect yourself from identity thieves.” These steps often include contacting one of the big credit-reporting data broker agencies, like Experian, to warn them against possibly fraudulent activities on your account.
But the latest security breach, which KrebsOnSecurity reported on March 14, might be tougher to protect yourself against, since the identity thieves gained access to the files of Experian itself. More specifically: Vietnamese national Hieu Minh Ngo tricked Experian subsidiaries US Info Search and Court Ventures into believing he was a legitimate private investigator with legitimate (read: non-criminal) reasons to access data brokers' files.
As Krebs noted:
Posing as a private investigator operating out of Singapore, Ngo contracted with Court Ventures, paying for his access to consumer records via regular cash wire transfers from a bank in Singapore. Through that contract, Ngo was able to make available to his clients [identity thieves] access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans.
Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including Mr. Ngo). For almost ten months after Experian completed that acquisition, Ngo continued siphoning consumer data and making his wire transfers.
Full extent not clear
News of the Experian breach first came to light last October, but until recently, the full extent of the security damage was not made clear. Last week, finally, new information came to light. The Secret Service (which arrested Hieu last year) claims that Hieu's clients used their fraudulently obtained information for a wide variety of identity-theft schemes: opening credit lines and running up debt in other people's names, filing false tax returns and so forth.
Krebs noted (italics from the original): “The transcript shows government investigators found that over an 18-month period ending Feb. 2013, Ngo’s customers made approximately 3.1 million queries on Americans.”
It gets worse. As Krebs explained, each individual query would bring up records on multiple people — a query for “Brian Krebs” in Virginia brought back results for at least 10 different individuals, 10 people who'd be at extreme risk of identity theft after a data broker handed their confidential account information over to a fake private investigator in Singapore.
It is not known exactly how many Americans' personal information was compromised, though the government has promised to release more information “in the near future.” In the meanwhile, it might not be possible to conclusively determine whether or not your personal information is now in the hands of Hieu or his clients. All you can do is remember all the “protect yourself from identity theft” advice you've ever heard, and be doubly vigilant about it.