The Vietnamese national who sold criminals access to the Experian-owned database containing information on 200 million US Consumers pleaded guilty to running an identity theft service, according to a report by security writer Brian Krebs.

Vietnamese national Hieu Minh Ngo admitted at a March 3 federal court hearing to letting criminals search the Court Ventures database using his access for personal identifying information (PII) that can be used to commit bank and credit card fraud. Ngo’s criminal clients obtained for “fulls,” or bundles of information which included individuals’ names, addresses, Social Security numbers, dates of birth, places to work, duration of work, dates of employment, state driver’s license numbers, mother’s maiden names, bank account and routing numbers, email account names and addresses, and account passwords, according to Krebs, who posted details of the hearing.

Court Ventures aggregated and distributed public records data from over 1,400 state and county sources, as well as US Info Search. Experian acquired the company in March 2012 but did not notice the queries Ngo and his clients were making. The United States Secret Service alerted the company and the reports of the breach broke in October 2013. At the time, Experian said “no Experian database was accessed,” as Court Ventures data came from US Info Search.

Ngo allowed 1,300 criminals to “make more than three million queries of U.S. Citizens’ PII” over an 18-month period, according to the hearing transcript. The Justice Department claimed Ngo received more than $1.9 million for his services.

It’s important to note that a criminal performing a search via Ngo’s service almost always received multiple records, Krebs warned. If Ngo’s clients conducted 3.1 million individual queries, the sheer number of records exposed is “potentially as many as 30 million records,” Krebs said.

During the March 3 hearing, Ngo pleaded guilty to one count each of wire fraud, identity theft, and access-device fraud. He faces a maximum prison term of 45 years. Sentencing is scheduled for June 16.

Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including iPCMag.com where she is a networking and security analyst.  She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products. 

Leave a Reply