b2ap3_thumbnail_it_security_400.jpgDetails are still coming in regarding one of the biggest data breaches in history that compromised the personal records of 200 million Americans! The scam was propagated by the online ID theft service Superget.info, and it’s currently being investigated by the U.S. Senate Committee on Commerce, Science, and Transportation.

A service like Superget.info is a one-stop shopping experience for hackers around the world to buy stolen identities. Oftentimes, the hackers responsible for malicious activity using stolen identities aren’t the same people responsible for the theft of a user’s identity. Instead, they simply bought the user’s sensitive information from a website like Superget.info and then did what they wanted to with the data.

This is how Superget.info operated. Based in Vietnam, this online ID theft service was run by 24-year-old Hieu Minh Ngo. According to KrebsOnSecurity, “Ngo’s ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and February 2013.” Before the site was taken down, stolen information available on Superget.info included Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses, and other sensitive data.

Upon investigation by the Senate committee, it was found that customers of Superget.info retrieved information from millions of users. As reported by KrebsOnSecurity:

The government alleges that the service’s customers used the information for a variety of fraud schemes, including filing fraudulent tax returns on Americans, and opening new lines of credit and racking up huge bills in the names of unsuspecting victims. The transcript shows government investigators found that over an 18-month period ending February 2013, Ngo’s customers made approximately 3.1 million queries on Americans.

Who’s to Blame?
A breach that lifted information from 200 million users was the result of a single big scam against one of the world’s largest databases, Experian. Experian is one of the three major U.S. credit bureaus. This is the company that keeps multiple pieces of personal information of every American for the purpose of running credit checks. This makes Experian a hacker’s goldmine. Instead of going with a typical hack and stealing data by breaching a firewall, Hieu Minh Ngo took advantage of a business acquisition by Experian.

In March 2012 Experian acquired Court Ventures. Founded in 2001, Court Ventures describes itself as a firm that “aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.” Insight into the scam and Court Ventures was given to KrebsOnSecurity by Marc Martin, CEO of U.S. Info Search, a data company that shared data with Court Ventures. Martin explained that Ngo posed as a U.S.-based private investigator from Court Ventures in order to obtain the keys of Experian’s data castle. From Martin’s perspective, Experian should have caught some of the red flags put up by Ngo:

While the private investigator ruse may have gotten the fraudsters past Experian and/or Court Ventures’ screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, Martin said the Secret Service told him that the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.

In a written statement to KrebsOnSecurity, Experian acknowledged Martin’s explanation:

Experian acquired Court Ventures in March, 2012 because of its national public records database. After the acquisition, the U.S. Secret Service notified Experian that Court Ventures had been and was continuing to resell data from U.S. Info Search to a third party possibly engaged in illegal activity. Following notice by the U.S. Secret Service, Experian discontinued reselling U.S. Info Search data and worked closely and in full cooperation with law enforcement to bring Vietnamese national Hieu Minh Ngo, the alleged perpetrator, to justice. Experian’s credit files were not accessed. Because of the ongoing federal investigation, we are not free to say anything further at this time.

Last year, Hieu Minh Ngo was detained in Guam by U.S. Secret Service agents, and in March, Ngo plead guilty to running the online identity theft service. Even more recently, during a Senate committee hearing, testimony was given from Tony Hadley, Experian’s senior vice president of government affairs, in which the scope of Ngo’s operation was revealed to include personal information from 200 million Americans.

How can You Prevent Your Personal Data from Being Stolen Like This?
Essentially, there’s nothing that you can do to prevent your sensitive information from being stolen from another company that has it on file. When you give your data to a company like Experian you’re trusting them to have security measures in place that will protect it from the likes of Ngo. This assurance of security is an agreement that you make with every company that you engage in a financial transaction with. This is why it was such a big deal when retailer Target was recently hacked and the financial information of 110 million of its shoppers, including me, was compromised. In light of the experiences of Experian and Target, you will need to make sure that you’re doing everything you can to protect your customers’ financial information that has been entrusted to your own business.

While you can’t do anything to keep your personal information from being stolen from a third party, you can closely monitor your financial records and take quick corrective actions if your data is stolen. Here are a few corrective measures you can take: Get new credit cards, change the passwords to your various online accounts, and be sure your business has implemented proper safegaurds. At IronEdge Group we update our online banking passwords every ninety days and leverage Intuit Payment Network’s secure payment portal, customer initiated ACH and proper paper check handling procedures to ensure our customers’ banking data is secured.

Quotes courtesy of krebsonsecurity.com.