Do credit bureaus need to be held to higher levels of accountability for the massive amounts of consumer data they hold?
Security expert and former Washington Post reporter Brian Krebs says that the answer is yes, and backs up this assertion with fresh new details of fraud related to the previously reported theft of personal data from the credit bureau Experian.
Krebs reported on his blog Monday about two separate incidents connected to the Experian theft that could have implications for the way credit bureaus manage and store the personal data of millions of Americans.
In the first incident, an Ohio man named Lance Ealy was arrested for purchasing the Social Security numbers and other personal information from an online identity theft service that was run for about 10 months by Hieu Minh Ngo in Vietnam. Ngo had acquired the data through an Experian subsidiary called Court Ventures. He pleaded guilty earlier this year to running the ID theft service.
Krebs wrote that Ealy allegedly used the stolen information to electronically file at least 150 fraudulent tax returns for which refunds were sent to prepaid card accounts he controlled. Ealy was arrested by the U.S. Secret Service on November 25, 2013. He was one of 1,300 customers of Ngo's service.
Yet even after that arrest, Krebs reported Monday that an Experian executive told Congress in December that the company was not aware of any consumers who had been harmed by Hieu Minh Ngo's access to consumer records.
An Experian spokesperson did not immediately respond to a request for comment.
A spokesperson for the Federal Trade Commission, which is said to be conducting an investigation of data brokers, said that because FTC investigations are nonpublic, the agency could neither confirm nor deny the existence of any investigation. He did refer to the FTC's web page on data security guidance for businesses.
In an interview with Bank Technology News Monday morning, Krebs shared his thoughts what led to this events and how they ought to be addressed.
BTN: It sounds like Experian's real mistake was buying Court Ventures and not doing the proper due diligence on the company first.
Brian Krebs: That's what's been clear. They even stated that in their testimony before Congress. They just said they didn't have enough information to vet the company. I guess they decided it was O.K. to acquire it anyway.
From what I can tell, we're going to be seeing a lot more cases like this. Everyone is innocent until proven guilty, of course. But the government doesn't lodge these cases unless they feel pretty good about them.
Do you think we'll see more fraud from individual identity thieves who worked with Hieu Minh Ngo?
I don't think there's any question. He had about 1,300 customers. Not all of them were in the U.S. but a fair number of them were.
Is US InfoSearch also responsible? [Columbus, Ohio-based US Info Search had a contractual agreement with Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures' data. This was the direct source for the data Hieu Minh Ngo sold Ealy and others.]
There's a lot of shared responsibility here: Court Ventures, US InfoSearch, and Experian. We're at an impasse on figuring out how much each party is to blame because it's now come to litigation and nobody's talking and they'll start pointing fingers at each other. Experian has said they're the victim and it's not their fault. What's getting lost in this discussion is the fact that there are real victims here; consumers have been harmed as a result of this unfortunate incident.
Could this represent a systemic problem throughout the credit bureau industry?
Experian figured out what was going on after somebody else told them. You have to wonder how many times this has happened where nobody notified them and they kept it quiet. And Experian's not the only company in this business. There are several other credit bureaus that take consumer data and bundle it up in different ways and resell it. I think we need to have a national debate about what the role of these companies is and what their proper role is when it comes to protecting people's identity and privacy. I think it's telling that in an era when it seems every day there's another major data breach, the default response for a company is to sign other customers up to give more information to Experian, which is in the business of building dossiers on people and selling that information. I think that's kind of perverse in a lot of ways.
Could the credit bureaus be doing more to protect consumer data now, knowing that there's potential for more criminals to have already stolen identity information from their databases?
They could be more transparent. Parse what they said to Congress. They said we know who these people are and we're going to protect them. And in the same breath, they said no one was harmed. Who is at risk here? They could start by being a little more transparent about what they mean when they say they know who's affected. They're really concerned, and rightfully so, about class-action lawsuits, which I think are coming. Not that I think that's the solution.
Do you think there could be similar cases lurking with TransUnion and the others?
It's fair to say the other credit bureaus are watching this closely. The entire industry is long overdue for a sanity check. At the end of the day, this is an industry that has almost a government-mandated monopoly on people's personal information. I think the government has dropped the ball on this.
People get spun up when there's a credit card breach. That's the one thing people understand: somebody stole my credit card. Then this kind of thing happens and everybody's like, who's Experian, what's a TransUnion? We have so little financial literacy about this topic.
Potentially you could steal someone's entire identity [from a credit bureau database] and do a lot more with it.
Right. And I've seen people on Twitter saying things like these people aren't victims if the IRS accepted the fake return. It's bad enough when somebody steals your ID, when you add the IRS to the mix, it's a whole different kind of proctology exam you don't want to have -- on top of how hard it is to get your identity back. The people perpetrating these types of crimes usually don't do just tax fraud, they're into new account fraud and other types of crime. Anyone who tries to say this is a one-off thing that involves just the Treasury and not taxpayers doesn't understand the types of criminals involved in this type of scheme.