By Dorothy Atkins
The San Diego city attorney hit Experian Data Corp. with a suit in California court Wednesday, claiming the credit reporting agency failed to notify millions of data breach victims it had inadvertently shared their personal information with a Vietnamese teenager who sold the data to criminals online.
The lawsuit, filed by San Diego City Attorney Mara W. Elliott, accuses Experian of failing to vet, monitor and supervise the companies who had access to confidential data of more than 200 million Americans. As a result, the suit said, Heiu Minh Ngo accessed and stole data from Experian’s database and ran a business for years selling the information to 1,400 criminals around the world, netting himself $1.9 million in profits.
“This is not a case where sophisticated hackers broke into a computer network using obscure and technical exploits,” the suit said “As self proclaimed security experts, defendants should have easily seen through this scam and never let Ngo anywhere near their data.”
The suit names Experian and public data collecting companies Court Ventures Inc. and US Infosearch.com LLC as defendants and claims that the hackers stole data of at least 30 million consumers, including 3.6 million Californians and 250,000 San Diego County residents. It also alleges hackers obtained $65 million in fraudulent tax returns as a result of the data breach.
The breach goes back to April 2010 when CVI and USP entered into a data sharing agreement under which they pooled consumers’ personal identifying information, including their social security numbers, dates of birth, work history and mothers’ maiden names, according to the suit.
Experian became a party to that agreement when it acquired CVI in March 2012, the suit said. By November 2012, however, Experian knew or should have known that CVI had given Ngo access to the pooled database as early as July 2010, when he was 19 years old, the suit said.
Before it acquired CVI, Experian knew that Ngo’s Singapore-based purported private investigation firm paid CVI $15,000 each month to access the database, according to the suit. Then, after Experian acquired CVI, it could see that websites linked to Ngo’s company were making millions of inquiries to obtain consumers’ social security numbers and other information, the suit said. In both instances, however, Experian failed to ask questions about the operation, the suit alleged.
The U.S. Secret Service arrested Ngo in February 2013, and he later pled guilty to multiple counts of fraud. He’s currently serving a 13-year prison sentence, according to the suit.
Even after Experian became aware of Ngo’s fraudulent activities, the suit claims the company failed to notify the victims of the data breach so that they could try to protect their financial information, in violation of the state’s Unfair Competition Law.
The suit seeks a $2,500 civil penalty for each violation of the UCL and an additional $2,500 civil penalty for each UCL violation against senior citizens and disabled persons, plus the costs of litigation.
Elliot said Wednesday that Experian harmed millions of consumers by failing to protect their personal information and by not telling them the truth about what happened.
“Individual consumers do not have the time or the resources to fight back against corporate malfeasance, so my office will seek justice on their behalf,” she said in a statement.
Representatives for Experian didn’t immediately respond to requests for comment.
The state is represented by Deputy City Attorney Mark Ankcorn and by Timothy G. Blood and Paula A. Brown of Blood Hurst & O’Reardon LLP.
Counsel information for Experian wasn’t immediately available Thursday.
The case is The People of the State of California v. Experian Data Corp. et al., case number 37-2018-00011206, in the Superior Court of California, County of San Diego.
–Editing by Alyssa Miller.