More information has come to light regarding the massive security breach at Experian; when we discussed the case last month, we mentioned that it was “not known how many millions of Americans had their data compromised.”
But new information indicates the number may be as high as 200 million.
On April 3, Reuters reported that the state attorneys general for Illinois and Connecticut have opened a “multi-state investigation” into the matter, which resulted in the Social Security numbers of millions of Americans being made accessible to the criminal clients of Vietnamese identity thieves.
Experian responded to this news by releasing a set of talking points about what they call “an unfortunate and isolated issue – one that we take very seriously and continue to address.”
This in turn inspired security blogger Brian Krebs, who first discovered the Experian data breach last October, to publish a point-by-point deconstruction of Experian's response to this “unfortunate” issue. Amazingly, Krebs did not explicitly use the words “obfuscation” or “disingenuous” while refuting Experian's responses.
For example, Experian said this:
No Experian database was accessed. The data in question have at all relevant times been owned and maintained, not by Experian, but by a company called US Info Search.
So what? As Krebs pointed out, all of his stories on the issue (not to mention all government-investigation documents on the issue, and various media reports on the whole mess) explicitly mentioned this fact.
The problem is that: “US Info Search had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures’ data, and vice versa. Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including the proprietor of the identity theft service). For its part, US Info Search says Experian’s explanation of the events is based on false statements and misrepresentations, and that the proprietor of the ID theft service paid Experian for his access using large cash payments sent to Experian via wire from Singapore.”
Experian went on to say:
Further, Experian’s only involvement was that it purchased the assets of a company, Court Ventures, that provided access to US Info Search’s data to Court Ventures’ customers. Under that contract, customers of Court Ventures, including the criminal in this case, could access US Info Search’s data. This was not an Experian database, and specifically, this was not a credit database.
Experian, like any other business in existence, is required to exercise “due diligence” regarding any companies it wishes to buy for itself: if you buy a company that's in debt, you also buy that debt. You buy a company embroiled in various lawsuits, those lawsuits are now yours to defend against. (For that matter, ordinary people are also expected to apply due diligence to any purchases: if you want to buy a house you'd better run a title search first, because any lien on that house becomes the buyer's responsibility.)
As Krebs pointed out, “Experian wants to blame everyone else, but by its own admission, Experian didn’t conduct proper due diligence on Court Ventures before acquiring the company.”
Experian also takes umbrage with the “200 million Americans” number appearing in media reports:
“Furthermore, any implication that there was a breach of 200 million records is entirely false and misleading – while the size of the database may be 200 million, that does not mean the total number of records were accessed.”
This was presumably in response to statements like this one, taken from the April 3 Reuters report on the multi-state investigation:
“Federal authorities say [identity thief Hieu Minh Ngo] obtained Social Security numbers through a U.S. firm known as Court Ventures, which provides customers with access to court records. It also offered them access to a database of Social Security numbers of some 200 million Americans through a data-share arrangement with another firm, known as U.S. Info Search.”
Notice the distinction between “accessed” and “had access to?” Experian defended itself against a claim nobody actually made.
Or, as Krebs pointed out,“prosecutors for the U.S. Justice Department stated that Ngo — by virtue of fooling Court Ventures into thinking he was a private investigator – had access to approximately 200 million consumer records. As I have stated previously, however, Ngo had to pay for the records he accessed, and he was running a service that charged customers for each records search they ran.”
Doing the math
Right now, based on the available information released by government investigators, security experts and Experian and its subsidiaries, it's not possible for ordinary Americans to know if their Social Security numbers were accessible to Ngo and his criminal clients, let alone whether your specific number was actually accessed.
But consider: that database had 200 million Social Security numbers. The total current American population is 317 million, including children and teenagers who do have Social Security numbers, but are too young to have credit cards or any sort of legitimate financial paper trail attached to their identities yet.
Meanwhile, a quick look at census data says that, as of 2012, 23.5% of all Americans were under 18 — by now, roughly 77 million. Subtracting that from the current American population leaves 240 million American adults, 200 million of whom have their Social Security numbers in that accessible-to-thieves database.
In other words: if you're an American adult with an actual financial history, there's only a 1-in-6 chance your information was not on that database accessible to the criminal clients of a Vietnamese identity thief.