This story has made headlines in the US today following the arrest and indictment a Vietnamese individual who operated an identity theft service called Superget.com out of Vietnam.   The US Department of Justice announced the indictment on Friday, Oct. 18th 2013.   Superget.com sold Social Security and driver license numbers as well as bank account and credit card data on millions of Americans.  The data was purchased from Court Ventures and USInfoSearch.com.  The Vietnamese fraudster masqueraded as a private investigator and thus was able to enter into a customer relationship with Court Ventures.

The embarrassing situation for Experian is the fact that it acquired Court Ventures in March of 2012.    Founded in 2001, Court Ventures sources, aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.  It must be assumed that Experian’s due diligence process did not dig deep enough to discover the fraudulent customer relationship.  According to KrebsOnSecurity.com the warning signs should have been visible since the company paid for its services from Singapore.

KrebsOnSecurity stated in its blog that Experian declined multiple requests for an interview. But in a written statement provided to KrebsOnSecurity, Experian said it had worked with the Secret Service to bring a Vietnamese national to justice in connection with the online ID theft service. Their statement is as follows:

“Experian acquired Court Ventures in March, 2012 because of its national public records database. After the acquisition, the US Secret Service notified Experian that Court Ventures had been and was continuing to resell data from US Info Search to a third party possibly engaged in illegal activity. Following notice by the US Secret Service, Experian discontinued reselling US Info Search data and worked closely and in full cooperation with law enforcement to bring Vietnamese national Hieu Minh Ngo, the alleged perpetrator, to justice.  Experian’s credit files were not accessed.  Because of the ongoing federal investigation, we are not free to say anything further at this time.”

Shades of ChoicePoint?  When reading this unfortunate story one is reminded of ChoicePoint, a data aggregator that acted as a private intelligence service to government and industry. Beginning in 2004, ChoicePoint suffered several breaches in which personal data on American citizens was accessed by criminals posing as legitimate businesses.  ChoicePoint was later sued by the U.S. Federal Trade Commission, an action that produced a $10 million settlement — the largest in the agency’s history for a violation of federal privacy law.   ChoicePoint lost its independence by being taken over by LexisNexis.

It can be assumed that the new Consumer Financial Protection Bureau will come down hard on Experian and the Court Venture acquisition will turn out to be an expensive one.

Credit Bureaus should learn their lessons from such sad cases and should dig deep in terms of ‘Know Your Customer’.

Sources:  Department of Justice and KrebsOnSecurity.com