One of the top US credit bureaus was scammed into selling social security numbers to a Vietnamese hacker for months, according to a report from Krebs on Security. Experian — one of the three national US credit bureaus — reportedly sold SSNs through its subsidiary, Court Ventures, to Hieu Minh Ngo, who allegedly operated an identity theft service called SuperGet.info. The site also sold drivers license, bank account, and credit card numbers along with other personal data, though it’s not clear how much of it came from Experian. Ngo has since been indicted in New Hampshire following his entry into the US.
Though Experian holds highly personal information so that it can issue credit reports, it may at times sell that information to other ostensibly discreet parties that offer services such as fraud prevention. By posing as a US-based private investigator in need of such information, Ngo was able to gain access to Experian’s data through Court Ventures, reports Krebs. But while Court Ventures only discovered the mishap after it was alerted by the US Secret Service, Krebs writes that the company didn’t catch odd inconsistencies with Ngo’s story, such as his monthly payments coming through wire transfers from Singapore.
In a statement to Krebs, Experian acknowledges the general details of the report, including that Court Ventures was selling data to Ngo, who appeared to be engaged in illegal activities. Though Experian says that its credit files weren’t accessed, it doesn’t clarify exactly what information was exposed. While Krebs writes that it’s still unclear if Experian will see any repercussions for its role or potential negligence, it also reports that similar cases have brought about lawsuits from the FTC.