Brian Krebs, lead researcher with the KrebsOnSecurity newswire, claims that an ID theft service – handling data on millions of Americans – has been sourcing some of its data from the Experian credit reference agency.
The researcher says his investigations are based on a lengthy investigation dating back to November 2011, when he first reported on Superget.info, a darkware site that sold itself on the ability to look up US Social Security numbers, birthdays, drivers licence records and financial information on US citizens.
“Each SSN search on Superget.info returned consumer records that were marked with a set of varying and mysterious two- and three-letter sourceid: identifiers, including TH, MV, and NCO, among others,” he says, adding that a reader subsequently identified the abbreviations as those produced by Columbus, Ohio-based USInfoSearch.com.
When contacted about the reader’s claim, a spokesperson for USInfoSearch.com told Krebs that the data was not obtained directly through his company, but rather via Court Ventures, a third-party company with which US Info Search had data sharing arrangement, which was acquired by Experian in March of last year.
It now seems that Superget.info had gained access to Experian’s database by masquerading as a US-based private investigator, although staff with Superget were apparently based in Vietnam.
Experian, says Krebs, declined multiple requests for an interview, but in a statement it acknowledged the broad outlines of what had happened and said it had been working with the Secret Service to bring a Vietnamese national – Hieu Minh Ngo – to justice in connection with the online ID theft service.
“Meanwhile, it’s not clear what – if any – trouble Experian may face as a result of its involvement in the identity theft scheme,” he said, adding that the saga bears a resemblance to a series of breaches dating back to the mid-2000s at ChoicePoint, a data aggregator that acted as a private intelligence service to government and industry.
Krebs quotes Avivah Litan, a financial fraud analyst with Gartner, as saying that the credit reporting agencies have strict guidelines regarding who they may distribute credit reports to.
Commenting on Krebs’ revelations, Tim Erlin, director of product management with Tripwire, said that the custody chain for the personal data involved in this breach clearly demonstrates the complexity of the ‘data broker’ industry.
It also, he says, highlights the complete lack of transparency for the individual consumer.
“Whilst I may have elected to share my data with a specific organisation in order to apply for a loan or obtain a government service, my data is then sold, aggregated and re-sold through multiple companies into which I have no visibility,” he said.
“How can a consumer protect themselves when all of that process is perfectly legal and perfectly opaque? Experian, a company offering ID theft protection, cannot even unravel this tangled Web itself,” he added.