250,000 people have been affected by data breaches, San Diego city attorney has brought Experian to court

Experian

According to the report of The San Diego Union-Tribune, the city of Santiago has filed a formal lawsuit against the global credit intelligence giant Experian through the city lawyer Mara Elliott, claiming to be a safety research in 2013. Two million San Diego people were affected in the data breach reported by agency KrebsonSecurity for the first time, but Experian notified the affected consumers.

The data breach in the Mara Elliott lawsuit involved Court Ventures, a subsidiary of Experian. Founded in 2001, the company claims to be a company that specializes in data aggregation, processing, and distribution. Its aggregated data covers almost 80% of the population in the United States. In March 2012, it was acquired by Experian.

According to a report published by KrebsonSecurity at the time, a 25-year-old Vietnamese man, Hieu Minh Ngo, runs two identity theft services on the Dark Web, named “Superget.info” and “Findget.me,” respectively. The source of the data is actually Court Ventures.

Image: krebsonsecurity

Ngo is posing as a licensed private detective in Singapore in the United States and accessing U.S. consumer data through legal channels (by paying thousands of U.S. dollars a month to Court Ventures). Since Court Ventures signed an interoperability agreement with another US Info Search, which provides consumer data, Ngo can also obtain more than 200 million personal data about US consumers collected by US Info Search. These data include names, addresses, social security numbers, birthdays, work history, driver’s license numbers, email addresses, and bank information.

After Ngo obtained the data, he peddled the data through the identity theft service he operated in Darknet. The service began in 2010 and continued until February 2013 when Ngo was arrested. In an investigation, Ngo stated that during the 18 months, about 1300 “customers” purchased personal data from about 3.1 million U.S. consumers.

In fact, since Ngo pays the “customer” to pay for the data, he will let the “customer” arbitrarily search for the data he needs. Therefore, Ngo is not aware of how many US consumers are affected. Ngo thus made more than $1.9 million in profit and was finally jailed for 13 years in July 2015.

In the lawsuit filed by the city of Santiago, the municipal lawyer Mara Elliott said that about 30 million U.S. consumers’ personal data were stolen during this data breach, including about 250,000 San Diego residents.

Mara Elliott said that Experian acquired Court Ventures in 2012, and the company knew or should have known about the incident. Experian did not inform consumers about the incident in accordance with legal requirements without any information dissemination from law enforcement investigation organizations.

According to the U.S. anti-unfair competition law, the maximum amount of fines for every single item of information may reach $2,500, which means that Experian may face a multi-million dollar fine.