Feedback
Tech

States Investigating Data Breach at Experian: Report

U.S. attorneys general have launched a multistate investigation into a breach in which criminals gained access to a repository of some 200 million Social Security numbers through a unit of data provider Experian Plc.

"We are investigating," said Maura Possley, a spokeswoman for Illinois Attorney General Lisa Madigan. "It's part of a multistate investigation."

Jaclyn Falkowski, spokeswoman for Connecticut Attorney General George Jepsen, said Connecticut is also looking into the matter also.

Neither spokeswoman would say if other states were involved.

A spokesman for Experian said the company does not comment on such investigations as a matter of policy.

Vietnamese national Hieu Minh Ngo last month pleaded guilty in New Hampshire federal court to running an underground website that offered clients access to personal data of Americans including Social Security numbers, which could be used for identity theft and other types of financial fraud.

Federal authorities say that he obtained some of that through a U.S. firm known as Court Ventures, which provides customers with access to court records. It also offers them access to a database of Social Security numbers of some 200 million Americans through a data-share arrangement with another firm, known as U.S. Info Search.

Ngo obtained an account with Court Ventures sometime before March 2012, when Experian bought the data firm, by posing as a Singapore-based private investigator, according to court documents.

Prosecutors say that Ngo's customers used Court Ventures to make some 3.1 million queries of the U.S. Info Search database over an 18-month period ending in February 2013. Authorities have not said how many people's data was accessed through those queries, each of which could have potentially included multiple records or returned no data.

Officials with both Experian and U.S. Info Search say they have not been able to ascertain which records were accessed by Ngo's customers and are therefore unable to notify victims.

Cybersecurity blogger Brian Krebs has more details here.

— Reuters and NBC News