Experian Breach Fallout: ID Theft Nightmares Continue

  /     /     /  
Publicated : 22/11/2024   Category : security


Experian Breach Fallout: ID Theft Nightmares Continue


Data brokers amassing gigantic data stores of peoples valuable personal information are too big to not fail. Why are consumers getting stuck with the mess?



Lets review the ID theft landscape: A big business that earns millions from the buying and selling of personal information about you -- social security numbers, addresses, bank account details -- loses that information in a data breach, or maybe accidentally sells it to overseas fraudsters.
What happens next? Well, the business -- which, legally speaking, has no business relationship with you and thus cant be sued for the loss unless some immediate harm can be proven -- goes on buying and selling personal data. Consumers, however, get to keep looking over their shoulders, and bank statements, and credit card statements, wondering if some secreted stash of their personal information offered for sale via a foreign server is being bought and sold by data brokers underground counterparts -- namely, ID thieves.
Thats the situation that one
InformationWeek
reader Ill call Ann -- she asked to remain anonymous -- now finds herself in, after the news broke that an Experian subsidiary called Court Ventures was
selling information directly to Superget.info
, a Vietnamese fraudster service that offered customers the ability to look up millions of Americans social security and drivers license numbers and financial information.
[ Its not just Experian. See
NSA Harvests Personal Contact Lists, Too
. ]
I am possibly a victim of these people, but dont know for sure. In my case, seemingly MasterCard accounts were targeted -- a few fraudulent charges on one card, a few more on another a week or two later, and then the fraudulent creation of an online account on a third credit card for which I hadnt chosen to create my own online account, said Ann, whos the president of a small software company that sells point-of-sale software for restaurants. When the fraudulent online account was created, it contained updates to my home address and phone number, among other changes. This was enough for the credit card company to forward an address change for me to the credit bureaus.
But Ann, who started her career as a Fortran and Cobol programmer and previously worked in the finance sector, said she wasnt tipped off about the ID theft until she received a letter that asked her to confirm a bogus address change. At that point I alerted the credit bureaus, and am in the process of getting this mess fixed, she said. Fortunately, the credit card companies caught this before fraudulent charges hit my statements, but its a time-consuming nightmare.
One of the rubs in these situations is that when a consumer like Ann spots that her identity has been stolen, the culprit may not be clear. Indeed, her personally identifiable information (PII) may have been stolen several years ago, and only recently put to use.
Not coincidentally, when the Department of Justice announced the arrest of Vietnamese national Hieu Minh Ngo, 24, earlier this week on a 15-count indictment that included numerous identity theft and fraud charges, it alleged that over a three-year period hed offered for sale, sold and/or transferred to others packages of PII for more than 500,000 individuals.
What the Justice Department statement didnt mention, however, was that much of this resold data was purchased from a U.S. data broker known as Court Ventures, which Experian bought last year. We know about that flow of data thanks to
investigative reporter Brian Krebs
, who traced two-character and three-character sourceID data attached to information being sold by the fraudster-friendly site Superget.info -- allegedly operated by Ngo and a John Doe co-conspirator -- back to USInfoSearch.com, a legitimate data broker which previously pooled its data with Court Ventures for resale.
The suspect in this case obtained access to U.S. Info Search data through Court Ventures prior to the time Experian acquired the company, an Experian spokesman said via email. According to Krebs, the Vietnamese criminals tricked Court Ventures into thinking they were U.S.-based private investigators. A missed red flag was that their payments always came via wire transfer from Singapore.
The obvious next step for Experian would be to issue data breach notifications to the more than 500,000 Americans affected by the breach, as well as offer identity theft services. Helpfully, of course, Experian already has the victims postal addresses -- since it buys and sells this information -- so they will be easy to find. In addition, Experian has its own ID theft monitoring service. That said, consumers might prefer that Experian contract with a third party, given that the company itself learned of the data breach not via due diligence of Court Ventures prior to the acquisition, but after the fact, courtesy of the U.S. Secret Service. Will Experian take these next steps -- sending notifications to affected consumers and providing free, third-party ID theft monitoring -- and if so, in what timeframe? I emailed those questions to a company spokesman Thursday, but havent heard back yet (and will update this story when I do).
Regardless of how Experian responds, here are a few takeaways for consumers who want to avoid, through no fault of their own, becoming ID theft victims: Maybe you can make your readers aware of the importance of maintaining online accounts for credit cards, even just so no one else steps in, said Ann. In addition, I found my new address and phone in online searches for myself at phone listing companies, which obviously cull the credit bureau websites.
Since consumers now have the right to see one credit report per year from each of the three big credit reporting firms -- Equifax, Experian (them again) and TransUnion -- one useful technique is to order one report from a different bureau every four months.
While the suspect in his case, Ngo, is brought to justice, what of Experians role here? As Ashkan Soltani, an independent privacy and security researcher who formerly worked with the Federal Trade Commission,
said about the Court Ventures debacle
, its yet another example of how data brokers expose consumers to unnecessary risk.
On that front, FTC chairwoman Edith Ramirez has called on Congress to give the agency more power to ensure that data brokers buying and selling of peoples personal information doesnt infringe on consumers interests. The time has come for businesses to move their data collection and use practices out of the shadows and into the sunlight,
Ramirez said in a keynote speech
at the Technology Policy Institutes Aspen Forum in August. In other words, with big data comes big responsibility. Firms that acquire and maintain large sets of consumer data must be responsible stewards of that information.
Perhaps the information sold by Court Ventures to the alleged Vietnamese ID-theft-as-a-service providers will include copious amounts of personal information on members of Congress, as well as their staff. Of course, that will be bad luck for them. But as they -- like Ann -- invest their own time, energy and money into attempting to clean up the resulting mess, maybe it will drive Congress to empower the FTC to hold data brokers accountable as they amass ever-increasing amounts of our personal data.
In the meantime, keep a close eye on your credit reports, bank statements and credit card statements.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Experian Breach Fallout: ID Theft Nightmares Continue