Experian has denied that its database was compromised, and that reports claiming 200 million records were breaches are “false and that the actual number is much lower”.
In a blog, Gerry Tschopp, senior vice president of public affairs and public relations for Experian North America, said that the information about Experian circulating in news outlets and other websites is inaccurate.
The story was revealed by Brian Krebs last year. He said that an identity theft service which sold Social Security and drivers license numbers purchased much of its data from Experian, who said it had worked with the Secret Service to bring a Vietnamese national to justice in connection with the online ID theft service. Experian said that this is an unfortunate situation and one that “we continue to take very seriously.”
Tschopp said: “I want to be very clear: No Experian database was accessed in this incident. In fact, the database that was accessed in this criminal scheme was owned and controlled by US Info Search, a company that is completely separate from Experian.” He said that after Experian purchased the assets of Court Ventures in 2012, that company had a contract with US Info Search that allowed customers of Court Ventures to access US Info Search’s data to find the address of a person in order to determine which court records to review.
However Experian was notified that Court Ventures had been, and was continuing to resell data from a US Info Search database to a third party, who were possibly engaged in illegal activity. “The suspect in this case posed as a legitimate business owner and obtained access to U.S. Info Search data through Court Ventures prior to the time Experian acquired the company.”
After this, Tschopp said that Experian discontinued reselling US Info Search data and worked closely and in full cooperation with law enforcement to bring Vietnamese national Hieu Minh Ngo, the perpetrator, to justice. He will be sentenced in June.
“Some news reports and sensational headlines are saying that Experian lost 200 million consumer records. This is not the case, as it was not Experian’s database that was accessed, but rather US Info Search’s database,” Tschopp said.
“This is a situation that Experian takes very seriously and we acknowledge the concern consumers may have about this illegal access. We are actively pursuing the facts and we are working with investigators to help uncover what records may have been affected.”
A transcript (PDF) of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity showed that his ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data on more than three million Americans.
This follows news by the Chicago Tribune which revealed that a number of US states are jointly investigating the data breach. It reported that Illinois and Connecticut Attorney Generals are said to be investigating, while the
two states have also been leading a multistate coalition investigating the data breach at retailer Target.