It's been months now since news first broke of the massive security breach at credit-reporter and data broker Experian: for several months Experian's entire database was accessible to a Vietnamese identity thief.
So how many people had their financial confidentiality placed at risk? Initial reports basically said “Nobody knows for sure, but it's a lot.” A couple months later, that was updated to “Nobody knows for sure, but it's up to 200 million Americans who are at risk — that's five out of every six adults in the country.”
We still don't know the full extent of the damage, and likely won't for a long time yet, but more specific details are coming out.
Security blogger Brian Krebs (who first reported the breach last October) noted this week that the Experian breach has been firmly connected to an identity-theft ring which operated throughout New York and New Jersey—and it's possible, just possible, that Experian executives thus far have been less than honest regarding the scope and extent of the damage:
Last year, a top official from big-three credit bureau Experiantold Congress that the firm was not aware of any consumers that had been harmed by an incident in which a business unit of Experian sold consumer records directly to an online identity theft service for nearly 10 months. Today’s post presents evidence that among the ID theft service’s clients was an identity theft and credit card fraud ring of at least 32 people who were arrested last year for allegedly using the information to steal millions from more than 1,000 victims across the country.
On March 31, 2014, 26-year-old Idris Soyemi of Brooklyn, New York pleaded guilty in a New Hampshire court to one count of wire fraud. In Soyemi’s guilty plea hearing, the prosecutor laid out how Soyemi on several occasions bought Social Security numbers, dates of birth and other personal information from an online identity theft service run by guy named Hieu Minh Ngo.
If you've been keeping up with this story, you already recognize Ngo as the alleged Vietnamese identity thief who is said to have posed as a Singaporean private detective in order to buy confidential information from the databases of Experian subsidiary Court Ventures.
Ngo then allegedly acted as a sort of identity-thief “middleman” -- if you, a would-be identity thief, want to steal someone's identity but lack the confidential data necessary to do that, you contact such a middleman through various shady black-market channels and buy the confidential data from him.
Ngo offered a variety of services, according to court documents and testimony. Soyemi's guilty plea mentions how Ngo's customers could choose between “tax refund or credit card” — in other words, is the thief interested in taking out fake credit cards in people's names, or fraudulently filing for and collecting tax refunds in people's names?
Incidentally, last month Krebs reported on another criminal investigation which arose from the Experian breach — an American man and alleged customer of Ngo who is either responsible for filing dozens of fraudulent tax returns last year (according to prosecutors) or is being prosecuted partially in revenge for rejecting a plea agreement but mainly to deflect attention away from Experian's culpability in the matter (according to what he wrote to Krebs).
More details about Ngo's various clients and their victims will surely come out in the weeks and months to come. As of press time, however, there's really no specific advice we can give you regarding how to protect yourself from data brokers with poor security habits or identity-theft entrepreneurs other than the standard “Be vigilant and check your accounts” advice you always see in identity-theft-protection articles like this. Before last October or so, such articles also advised you to “Sign up for monitoring with one of the three major credit bureaus, including Experian.”
It honestly seemed like a good idea at the time.