A Vietnamese man was recently sentenced to 13 years in U.S. federal prison for running an identity theft service that was aided by the database from a subsidiary of Experian, the major credit bureau with operational headquarters in Costa Mesa.
Hieu Minh Ngo, who ran an I.D. theft service variously named Superget.info and findget.me, admitted hacking into databases belonging to some of the world's largest data brokers, including Experian's Court Ventures, which collects and aggregates information from public records.
The government says Ngo made nearly $2 million from his service that sold access to "fullz," the slang term for packages of consumer data that could be used to commit identity theft in victims' names. The IRS believes Ngo had access to the personal data, including Social Security numbers, of more than 1,300 U.S. citizens and that his customer filed $65 million in fraudulent individual income tax returns.
If you like this story, consider signing up for our email newsletters.
SHOW ME HOW
You have successfully signed up for your selected newsletter(s) - please keep an eye on your mailbox, we're movin' in!
"From his home in Vietnam, Ngo used Internet marketplaces to offer for sale millions of stolen identities of U.S. citizens to more than a thousand cyber criminals scattered throughout the world," said Assistant Attorney General Leslie R. Caldwell, in a press release. "Criminals buy and sell stolen identity information because they see it as a low-risk, high-reward proposition. Identifying and prosecuting cyber criminals like Ngo is one of the ways we're working to change that cost-benefit analysis."
Ngo was arrested in 2013, after he was lured to Guam with the offer of access to more consumer data by an undercover U.S. Secret Service agent. Ngo had been facing more than 24 years in federal prison, but his sentence was lightened because he cooperated with investigators to secure the arrest of at least a dozen of his U.S.-based customers.
Experian officials previously told Congress that the company was not aware of any consumers who had been harmed by an incident. In March of last year, Experian posted online the "facts" it knew about the case. They could have picked those up years earlier on Krebs on Security, which deserves kudos for first writing about Ngo's service in November 2011.