Looks like Experian got punked. The credit bureau -- one of the three big ones in the United States -- appears to have sold troves of identity data from over half a million people to a site that turned around and resold the data on the black market.
Security researcher Brian Krebs has reported on his blog how the website Superget.info, a personal-data black market based in Vietnam which Krebs has reported on in the past, obtained personal data from Experian.
No, not by hacking them. By simply buying it from them.
Sometime in 2012, a man posing as a private investigator working in the United States set up an account with Experian and began using the service. The actual purchase itself, Krebs reported, was suspicious enough that it should have set off any number of red flags: for one, it was paid for by wire transfers sent from Singapore. But even if Experian didn't flag what was going on, the U.S. Secret Service did, which has since swooped in, made arrests, and given Experian a hard time.
The data trail that Krebs analyzed showed that much of the data harvested from Experian and sold on Superget.info was actually harvested from a company named U.S. Info Search. But U.S. Info Search itself didn't seem to be the source of the leak. Rather, it was due to a peering arrangement with yet another data provider, Court Ventures.
Court Ventures and U.S. Info Search set up an information-sharing agreement some years ago, with each allowed to access the other's databases. But in 2012, Experian purchased Court Ventures, apparently preserving the information-sharing agreement between the two companies. Thus, the fraudster who siphoned data out of Experian was able to also steal from U.S. Info Search by proxy.
Experian is not able to say much about the whole issue, given that it worked with the Secret Service to help track down the man believed responsible, a 24-year-old Vietnamese man named Hieu Minh Ngo. Heiu has recently been arrested and charged with multiple accounts of fraud. (It's striking that identity fraud only carries a statutory maximum penalty of five years.)
Cases like these highlight several of the major problems with data brokers. For one, the process by which they determine the validity of a given customer still seems terribly opaque. How is it that Hieu (or perhaps one of his confederates) was able to buy such massive quantities of personal data through such a flimsy ruse without setting off any alarms?
The other issue exposed by this case is the security implications inherent in having data brokers set up peering arrangements with each other. In such a case, the least secure link in the chain becomes an easy point of ingress, and it's frightening to think the weak link here was also the biggest one: Experian.
Krebs has noted that the FTC is increasingly concerned about data brokers who don't do due diligence to keep their product from falling into the wrong hands. It should be enlightening to see the report the FCC has planned for release, which was assembled after sending subpoenas to nine different data brokers and grilling them about their business practices.
This story, "Crooks 'stole' Experian data the old-fashioned way: They bought it," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.