On Friday, U.S. District Judge James Selna sent a lawsuit against Experian, Court Ventures, and InfoSearch back to Orange County Superior Court, denying the defendants’ motion to dismiss outright. The case is Patton v. Experian, and I blogged about it when it was first filed last year. I’ve also blogged, in the past, about how outrageous it was that no one was notifying consumers whose identity information had been compromised because Experian, Court Ventures, and InfoSearch were all pointing fingers at each other and saying they didn’t have complete enough information to make notifications. So one year after the lawsuit seeking an injunction to compel notification was filed, and more than two years after the breach was first disclosed, individuals whose data were accessed by criminals have still not been individually notified, it seems. Why, oh why, the FTC didn’t go after Experian over this incident – and InfoSearch – and Court Ventures – is beyond me, as this was a horrific breach, and I had already brought to the FTC’s attention numerous other data security breaches involving Experian. If the FTC wants to really protect consumers, it should have gone after Experian and not just punted or hoped the Consumer Financial Protection Bureau would do something. Their failure to take action over this horrific breach that was not only likely to cause substantial injury to consumers, but did cause substantial injury to consumers, may be, in my opinion, one of their greatest failures in FTC’s Section 5 enforcement history. And what have state Attorneys General that were reportedly investigating this incident done? Will anyone ever actually do something and smack down responsible parties in a way that sends a clear message that if you are making money trafficking in personal information, you’d damn well better be able to notify individuals in the event of a breach?
He beat me to it. 🙂 While I took a break to argue on Twitter about the hacked Jeep story in Wired, Brian Krebs was reporting on a class action lawsuit filed against Experian over the Court Ventures/U.S. InfoSearch data breach that was covered extensively on both his site and on this site. The lawsuit was filed in federal court for the Central District of California. I’ve uploaded a copy of the complaint here (pdf). To summarize some of the key points in the complaint: 1. The plaintiffs, led by Maudie Patton, Jacqueline Goodridge, and Virginia Kaldmo, are suing Experian for violations of the Fair Credit Reporting Act, the California Business & Professions Code §§ 17200, et seq., and the Declaratory Judgment Act. Neither Court Ventures nor U.S. InfoSearch is named as a defendant in the lawsuit. 2. The plaintiffs are seeking to recover FCRA statutory damages and injunctive relief requiring Experian to (i) notify each U.S. citizen whose PII (a) was accessed by Ngo, (b) sold by Defendant to Ngo and/or his fraudster customers, or (c) was otherwise exposed in the Security Lapse, (ii) provide quality credit monitoring and substantial identity theft coverage to each such person, (iii) establish a fund (in an amount to be determined) to which such persons may apply for reimbursement of the time and out-of-pocket expenses they incurred to remediate identity theft and identity fraud (i.e., data breach insurance), from July 1, 2010 forward to the date the above-referenced credit monitoring terminates, (iv) disgorge its gross revenue from transactions with Ngo and his fraudster customers involving Plaintiffs’ and Class Members’ PII and the earnings on such gross revenue, and (v) discontinue its above-described wrongful actions, inaction, omissions, want of ordinary care, nondisclosures, and the causes of the Security Lapse. The notification issue is of particular interest to me, as this blog had covered that issue and obtained statements from U.S. InfoSearch and Experian as to whose responsibility it was to notify those affected. Based on the complaint, it would appear that no one has yet been notified, which is pretty outrageous. By the way, standing should not be an issue in this case as all named plaintiffs became victims of tax refund fraud/identity theft. Of small note, Experian, through their counsel, was originally very insistent that the breach did not affect 200 million people (even though the criminals would presumably have had access to the information on 200 million people). The complaint handles the numbers issue this way: It has so far been established that the Superget.info and findget.me websites had 1,300 customers who paid Ngo nearly $2 million over the relevant period to access databases containing the PII of 200 million U.S. citizens. Over an 18-month period, Superget.info customers conducted approximately 3.1 million queries, 1.0 million of which were conducted after Experian acquired CVI. Since each query could generate an unlimited number of hits, the actual number of individual consumer PII records exposed, accessed, obtained, and utilized by fraudsters to commit further identity theft and identity fraud could be in the tens of millions. And while all this is going on, the suit and countersuit between Experian and Court Ventures continues. Would this be a good time to point out that I filed a complaint against Experian with the FTC in April 2012? By then, Experian had already acquired Court Ventures and would now be responsible going forward, but FTC continues to disappoint by their failure to take public action over Experian’s security failures.
Trot on over to KrebsOnSecurity.com, where Brian’s connecting the dots between a number of criminal prosecutions and Ngo, the Vietnamese national who posed as a Singapore investigator to get a Court Ventures account that gave him access to reports in U.S. Info Search’s database. Experian subsequently acquired Court Ventures, and Ngo’s account was allowed to continue until Experian was notified of the criminal activity. And with this post of his, Brian has added another strong refutation to any claims that there’s no evidence of identity theft or misuse of the data. But who is notifying all those affected and who will be held accountable for this breach? As noted previously on this blog, there’s been a lot of finger-pointing. But while Experian and U.S. Info Search are pointing fingers at each other, and while state attorneys general are investigating, it appears consumers still haven’t been notified by any of the firms involved. DataBreaches.net reached out to Experian to inquire whether there was anything new in terms of agreement between U.S. Info Search and Experian as to who would notify those affected, but a spokesperson said there was nothing new to report on that front. And that’s something state attorneys general should keep in mind when looking into this whole mess. What does their state law say about who is responsible to notify consumers – the owner of the database where the consumer information resided or the company whose clients improperly accessed that database?
Brian Kreb presents some evidence that the breach involving Court Ventures/U.S. InfoSearch/Experian* (discussed elsewhere on this blog) did result in harm to individuals, depite an Experian executive telling Congress in December 2013 that there had been no reports of harm from the breach. Of course, it never made any sense to any of us that criminals would be purchasing “fullz” and then not using them in ways that harmed consumers, but it’s nice to see an actual refutation of Experian’s claim about no harm. *Note: As I’ve discussed before, it’s difficult to say whose breach this is, legally, as two of the parties involved offer their own legal perspectives and point their fingers at other parties.
As I tweeted last night, Experian has sued the former owner/shareholder of Court Ventures over the mess Experian found itself in when it acquired Court Ventures and later learned that a criminal had been using a Court Ventures account to access a U.S InfoSearch database with information on over 200 million Americans. Today, Jim Finkle of Reuters reports on Experian’s cross-complaint in Court Ventures v. Experian, a lawsuit filed in Superior Court of California in Orange County. In today’s example of Extreme Chutzpah, it seems Court Ventures had sued Experian, seeking release of the escrow account created when Experian purchased Court Ventures. For its part, Experian counter-sued because Court Ventures had been notified of indemnification claims arising from the Ngo case. The escrow account is only a small portion of what was an $18 million acquisition. In Experian’s cross-complaint, they raise claims against Court Ventures and its co-founder and shareholder Robert Gundling for breach of warranty, breach of contract, express contractual indemnification, promissory fraud, intentional misrepresentation, and negligent misrepresentation. In their cross-complaint, Experian claims that Court Ventures misrepresented the credit header data that the service enabled clients to obtain through it relationship with U.S. InfoSearch. Experian claims that Court Ventures represented the credit header data as a service that would enable investigators to find an individual’s address for trace purposes. In actuality, Experian claims, when they checked logs after the Secret Service contacted them, Court Venture clients – including Ngo – were able to input names and states and obtain the Social Security numbers of individuals with that name in that state. Parenthetically, I note this would be consistent with what Brian Krebs had reported that a single query often produced records on multiple individuals. When Experian discovered that credit header data was being used to obtain Social Security numbers, they immediately cut off the service for all users – including Ngo. In addition to the complaint that Court Venture did not verify Ngo (a/k/a Jason Low)’s bona fides as an investigator eligible to use the service, Experian’s cross-complaint also alleges that Court Ventures engaged in web scraping and other possibly illegal acts to obtain the records in its database, despite having assured Experian in the sales agreement that Court Ventures was in compliance with all laws and Experian would have no legal issues when it took over the business. To date, and based on media reports by others, it appears that Experian has not notified any consumers about this breach and now claims that they don’t know whose data were stolen. That’s noteworthy because in December 2013, Tony Hadley of Experian informed Senator Rockefeller’s committee that Experian knew who these people (victims of Ngo’s activity) were and would protect them. Perhaps Senators Rockefeller and McCaskill should send another letter to Experian asking them to explain Mr. Hadley’s misrepresentations or errors. Jim Finkle provides some additional details on the litigation on Reuters.
Jim Finkle of Reuters reports: U.S. attorneys general have launched a multi-state investigation into a breach in which criminals gained access to a repository of some 200 million social security numbers through a unit of data provider Experian Plc. “We are investigating,” said Maura Possley, a spokeswoman for Illinois Attorney General Lisa Madigan. “It’s part of a multi-state investigation.” Jaclyn Falkowski, spokeswoman for Connecticut Attorney General George Jepsen, said that Connecticut is looking into the matter also. Read more on Reuters. This is, of course, the US InfoSearch/Court Ventures breach originally disclosed by Brian Krebs and discussed elsewhere on this blog. Experian acquired Court Ventures in March 2012, but the criminal behavior reportedly continued for another 9 months until the Secret Service informed Experian what was happening. Experian subsequently acknowledged in testimony to Congress that they had dropped the ball on due diligence when they acquired Court Ventures. They also assured, Congress, however, that they would protect the individuals who were impacted by the Court Ventures breach. So far, however, I have found no reports by Experian stating that they have either sent notification letters or offered free credit monitoring to those whose data were acquired because Court Ventures (and then Experian) allowed a criminal to open an account that gave him access to US InfoSearch’s database under a reciprocal agreement. Update: Okay, after I first posted this, Reuters replaced the original brief story with one with more details. The fuller version helps explain why there has been no notification of affected individuals yet: Officials with both Experian and U.S. Info Search say they have not been able to ascertain which records were accessed by Ngo’s customers and are therefore unable to notify victims. So… because of an arrangement U.S. InfoSearch made with Court Ventures that continued under Experian’s ownership, no one can figure out whose data were accessed? Are the companies going to be allowed to get away with that or will they pay a price for that failure to maintain logs sufficient to provide that information?
Long-time readers know that this blogger has encountered some interesting situations over the years in response to trying to engage in responsible disclosure of leaks or incidents. As just a few examples (apart from all the lawsuit threats for exposing leaks or incidents), this blogger was: — threatened with being infected with HIV by angry app users if I reported on a leak involving a dating app for people with HIV; — charged criminally in India for reporting on a leak there; and — contacted by two researchers who anonymously handed me 400 vulnerabilities they had found because they were afraid of being prosecuted; they left me to try to figure out what to do with all their findings and how to make 400 notifications. Also as a reminder, my About page cautions people who are thinking of threatening me, because I have been threatened with more lawsuits than I can even remember by now: If you want to send me legal threats about my reporting or comments, knock yourself out, but don’t be surprised to see me report on your threat, any confidentiality sig blocks you may attach notwithstanding. I have been threatened with lawsuits many times, and to be blunt: there is NOTHING you can threaten me with that will scare me even 1/10th as much as the day both my kids got their driver’s licenses within 15 minutes of each other. So keeping all that in mind, today’s saga starts with a contact I received on or about September 10. The individual did not give me any name or alias. Nor did they give me any affiliation, but from some of their statements, it appeared that I was likely dealing with someone who was part of a foreign ransomware group. An Unusual Story Begins That they didn’t really know me well became evident a few minutes later when they threatened me that if I told anyone what they were about to say, they would …. well, to be honest, I’m not sure I understood what they were even threatening, and the message disappeared so there’s no copy for me to review at this point. In any event, threats are not the way to win my heart or mind — or cooperation. But this story was so different than what I expected that even though I agreed to keep what they were going to tell me all off the record, the individual and I have since agreed that I could tell the story, although I still have to omit certain details. So now put yourself in my shoes (which are usually sneakers if you need to visualize): you are a blogger and a privacy advocate and activist. Someone — likely a criminal — contacts you out of the blue and asks if you will help them *return* data that someone hacked. The individual does not want any money or anything — they just want to return data to a non-profit who never should have been hacked and who had never paid any ransom. “Don’t they have a backup?” I asked (all quotes are approximate as there are no recorded messages for me to consult at this point). The backup had been wiped out by the attacker, I was told. So there’s a non-profit that had all their data exfiltrated, their files were encrypted, and their backup was destroyed. And you are asked to let them know that someone wants to get their data back to them — for no fee and and with no publicity about the breach at all. “Why can’t you call them yourself?” I asked. They couldn’t call because they are not in this country, I was told, and because they were concerned that the FBI would get involved. They would upload the non-profit’s data somewhere and give me the links to give them, if I would help get the message to the non-profit. Ethics? Law? What Do I Do? All kinds of thoughts went through my head, especially whether the data could have malware in it (but that could be checked by the FBI or someone, right?) and whether I would be violating any ethics code or actual laws. If I made the call to the non-profit to tell them that I’m a blogger who was contacted by threat actors who wanted to give them back their data, and it was available to them at a link I would give them, could and would law enforcement charge me with aiding and abetting criminals? And would I be aiding and abetting criminals? They obviously wanted to return the data, so wouldn’t I be aiding them? But they weren’t asking for money and were allegedly just trying to right a wrong. If you aid a criminal in righting a wrong, are you a criminal, too? I would be trying to aid a victim of a crime. If somehow the criminal got something out of it that they wanted, does the balance still favor helping the victim? And if I didn’t make the call, could the non-profit be left in a mess that I could have remedied? Did my ethical obligations lead to the same decision as any legal duties or did they conflict? My head was spinning, and I was reminded once more how much I miss Kurt Wimmer and how helpful he was to me for more than a decade. I finally decided that I would make the call in the hopes that a victim would get their data back. So I called and left a detailed voicemail on the non-profit’s system. I gave them my real name, phone number, info on this site, and told them that I knew this would sound crazy, but they could call me and I would explain more about how someone was trying to return their hacked data if they needed it back because they had no backup. That call was after close of business on Friday. The following Monday morning, having gotten no call back by a few hours […]
BOSTON — Attorney General Maura Healey today announced multistate settlements with Experian, totaling over $13.67 million, concerning data breaches in 2012 and 2015 that compromised the personal information of millions of consumers nationwide. A $2.5 million multistate settlement was also reached with T-Mobile in connection with the 2015 Experian breach, which impacted more than 15 million individuals who submitted credit applications with the telecommunications company. Under the terms of the settlements, Experian, one of the big-three credit reporting agencies, and T-Mobile have agreed to improve their data security practices and pay the states a combined amount of more than $16 million. Massachusetts will receive over $625,000 from the settlements. “Ensuring the security and privacy of Massachusetts consumers is a top priority and we take data breaches and their potential risks seriously,” said AG Healey. “I am pleased to join my colleagues today in holding these companies accountable for their failures to protect the sensitive information of our residents.” In 2012, the U.S. Secret Service alerted Experian Data Corp., a subsidiary of Experian, to the existence of an identity thief who was posing as a private investigator and retrieving sensitive personal information, potentially including names, Social Security numbers, addresses, and/or phone numbers from Court Ventures Inc., a database company that Experian Data Corp. had purchased. The thief had begun accessing information from the Court Ventures, Inc. database before Experian Data Corp purchased the company and continued to do so afterwards. Experian Data Corp. never notified affected consumers of the data breach. Since that time, the identity thief has pleaded guilty to federal criminal charges for wire fraud, identity fraud, access device fraud, and computer fraud and abuse, among other charges. In September 2015, Experian also reported it had experienced a data breach in which a hacker gained access to a part of Experian’s network storing personal information on behalf of its client, T-Mobile. The breach involved the personal information of consumers – including more than 280,000 Massachusetts residents – who had applied for T-Mobile postpaid services and device financing between September 2013 and September 2015, including names, addresses, dates of birth, Social Security numbers, identification numbers (such as driver’s license and passport numbers), and related information used in T-Mobile’s own credit assessments. Experian offered two years of credit monitoring services to consumers following the breach. The attorneys general reached separate settlements with Experian and T-Mobile in connection with the data breaches. Today’s settlements resolve claims that the company’s data security practices were in violation of state consumer protection laws and breach notification laws, including Massachusetts Data Security Regulations. Under the terms of the settlements, Experian will pay a total of $13.67 million in connection with the 2012 and 2015 data breaches and has agreed to strengthen its data security practices going forward. Terms of the Experian settlements also require the company to: Maintain a comprehensive incident response and data breach notification plan; Strengthen its vetting and oversight of third parties that it allows to access personal information Develop an Identity Theft Prevention Program to detect potential red flags in its customer’s accounts Not misrepresent to its clients the extent to which Experian protects the privacy and security of personal information; Strengthen due diligence provisions requiring the company to properly vet acquisitions and evaluate data security concerns prior to integration; and Data minimization and disposal requirements, including specific efforts aimed at reducing use of Social Security numbers as identifiers. Experian will also be required to offer five years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually during that timeframe. This is in addition to the four years of credit monitoring services already offered to affected consumers — two of which were offered by Experian in the wake of the 2015 breach, and two that were secured through a separate 2019 class action settlement. Affected consumers can enroll in the five-year extended credit monitoring services and find more information on eligibility here. In a separate $2.43 million settlement, T-Mobile has agreed to vendor management provisions designed to strengthen its vendor oversight going forward including implementing a program to oversee vendors’ security, such as specific contractual security requirements in its contracts like encryption, passwords or patching, and taking action against vendor non-compliance. AG Healey co-led the multistate investigation into the 2012 data breach, along with Illinois Attorney General Kwame Raoul and with assistance from the attorneys general of Connecticut, Indiana, Maryland, New Jersey, North Carolina, Texas, and Vermont. The AG’s Office also assisted in the multistate investigation into the 2015 data breach, which was co-led by the attorneys general of Connecticut, District of Columbia, Illinois, and Maryland, and was also assisted by Texas. This case was handled for Massachusetts by Division Chief Jared Rinehimer, of the AG’s Data Privacy and Security Division. Source: Massachusetts Attorney General Maura Healey For some more background on the US Info Search/Court Ventures/Experian breach, see this post and Brian Krebs’ reporting on the breach.
At first I thought the headline had a typo and that they meant to name Equifax, but they do, indeed, mean Experian. This suit goes back to an incident previously covered on this site that involved Experian acquiring a company, Court Ventures, that had access to another company’s, InfoSearch’s database…. and a bad actor named Hieu Minh Ngo, who resold the data he accessed to other criminals. Sound vaguely familiar? Use the search box to search for “Court Ventures” and “InfoSearch” and you’ll find a number of posts on this case. I had covered developments in the case and even complained that while the companies were suing each other, no one was notifying the consumers, even though a number of them had become victims of tax refund fraud. I had even asked what state attorneys general were doing. Well now we know what one city attorney is doing – suing Experian for not notifying consumers. If the past predicts the future, Experian will claim that they couldn’t notify because only another party had sufficient information to know whom to notify. But we’ll see, I guess. Read Jermaine Ong’s report on News10.
It’s always interesting to see if a company’s stock prices take any hit from a breach. Nick Fletcher reports on The Guardian: Leading shares are moving higher ahead of the US jobs data, with banks boosted by news of a deadline being set for consumers to claim for mis-sold payment protection insurance. But Experian has dropped more than 4%, down 49p at £10.26, after news of a data breach in the US affecting 15m people who applied for service with T-Mobile. Analysts at Barclays said: In the near term, the greatest hit to Experian is the damage to its reputation and its effort to establish the “Experian.com” brand in the direct to consumer credit monitoring space. Unlike [recent data breach victim] Target (a retailer), Experian’s business is that of handling data, which makes this incident particularly embarrassing. Undoubtedly a breach of this magnitude is a major setback, especially to a company that takes data security very seriously. T-mobile is obviously reviewing its relationship with Experian. In itself the loss of one client is fairly immaterial (a few million $ in our view) but if it triggers other account reviews, it could become more significant. In addition we would expect to hear comments from the regulator (CFPB) who could launch a review of Experian’s security policies. What about the FTC launching a review of Experian’s security policies and data security? Both agencies have relevant authority. But they (Barclay analysts) added: …. Whilst unfortunate we don’t think it will trigger a mass exodus of clients, although that will depend on the robustness of Experian’s response and the steps it takes to shore up security. It will of course make Experian’s task of rehabilitating its consumer business much more difficult. In terms of financial cost, we would expect some one-off expenses in relation to this ($10m is our initial estimate) as well as likely further incremental spend on data security going forward (which has been rising anyway). As a rule of thumb, an additional $10m on ongoing expenses is just under 1% of group pre-tax profit, other things equal. Even a Target-like result (although unlikely as no credit/ bank data was stolen, in our view) would only represent a 1% hit to market cap. The longer-term reputational damage is harder to ascertain, but we think Experian’s B2B customers will be supportive as long as Experian moves quickly to restore confidence in its data security. In other words: it’s likely no big deal. So to review: Experian has had over 100 data breaches since 2006 involving its credit-reporting database(s) and it’s no huge deal. It had a huge breach involving Court Ventures, a firm they acquired that was involved in a massive ID theft scheme, and still nothing. Now they have a hack affecting 15 million T-Mobile USA customers, and still, it’s not likely to make a real dent in their business and profits? What will make a dent or difference, then? What if we had a regulator who could do what South Korean regulators did – prohibit a company from signing up any new customers for months as part of a penalty for inadequately protecting customer data? What if heads at the top actually rolled? Would either of those make a difference? What, if anything, can we actually do that might make a difference?