The credit bureau providing five years of free credit monitoring for those affected by this university’s Feb. 18 data breach might indirectly have granted an identity theft service access to sensitive user data in 2012, including Social Security numbers and financial information.
An investigation published in October by former Washington Post reporter Brian Krebs on his Web security blog, KrebsOnSecurity, found an identity theft market known as Superget.info obtained much of its data from Experian, the credit bureau handling this university’s free protection plan.
University communications officials said the university selected Experian because the company was able to mobilize quickly following the breach and had experience dealing with other breaches, including Target, Neiman Marcus and other universities.
In March 2012, Experian acquired data collection and distribution service Court Ventures to bolster its North American data pool and “to extend its global lead in credit information and analytics,” according to Experian’s website.
Krebs’ investigation, however, uncovered that the Experian subsidiary had been selling information to Superget.info and findget.me and continued to sell to the theft services after the acquisition, fueling the Vietnamese-hosted Web domains with Social Security and drivers license numbers, among other information.
“To be clear, no Experian database was accessed,” Experian spokeswoman Sandra Bernardo wrote in an email. “The situation described, reported in the media, was in motion before Experian acquired Court Ventures, and Experian discontinued reselling U.S. Info Search data upon learning of the issue.”
Court Ventures had formed an information-sharing partnership with U.S. Info Search, an Ohio-based data company, before Experian purchased it, Krebs’ investigation found. After gaining Court Ventures’ assets, Experian allegedly received wire transfers from Singapore every month in exchange for the U.S. Info Search data access sold to Superget.info.
U.S. Info Search CEO Marc Martin told Krebs in October that the agreement with Experian was that information would only be sold to licensed U.S. businesses in use for fraud prevention and identification verification.
In November 2012, the U.S. District Court in New Hampshire indicted 24-year-old Vietnamese nationalist Ngo Mieh Hieu in connection to the crimes. From 2007 to 2012, Hieu acquired and sold the personal information of more than 500,000 people on Superget.info and findget.me, according to court records.
Hieu, who allegedly bypassed the Experian vetting process and gained access to information by posing as a private investigator, was arrested in Guam in February 2013 and could face up to 50 years in prison.
“We also worked closely with law enforcement to bring the criminal to justice,” Bernardo wrote.
In the week after Krebs’ article was published, Sen. John D. Rockefeller IV (D-West Virginia) — chairman of the Committee on Commerce, Science, and Transportation, which investigates the practices of the top data brokers — wrote a letter to Donald Robert, Experian CEO, with questions on how the company’s inspection process allowed a criminal such as Hieu to slip through the cracks.
“Your company collects, maintains, and sells data on millions of American consumers,” Rockefeller wrote in the Oct. 23 letter. “However, if these recent news accounts are accurate, they raise serious questions about whether Experian as a company has appropriate practices in place for vetting its customers and sharing sensitive consumer data with them, regardless of the particular line of business.”
Students have raised other questions about Experian, whose call-in lines for those affected by the data breach opened for registration last week. On Feb. 25, the university’s Chief Information Officer Crystal Brown wrote in an email that the lines were experiencing technical difficulties after receiving more than 40,000 calls in the first three hours.
Stacy Donald, a senior journalism major, waited until Wednesday to call. She started calling the number at 9 a.m. but was unable to get through until about 5 p.m. When she did, the operator left her questions largely unanswered, she said.
“Well, you know, you just have to log on,” Donald remembered him saying when she asked if her information had been compromised. “Your account won’t be activated until you actually log on to the system, and then you can just monitor it.”
She hung up with concerns about how the operator handled the call.
“I didn’t think they were helpful, and I had thought that was the whole reason to call them — for them to help us out,” she said.
Brian Ullmann, this university’s marketing and communications assistant vice president, said last week the unanticipated high volume of calls caused miscommunication on Experian’s end. He said some calls went to operators who hadn’t been trained to handle calls regarding this data breach.
Still, students such as senior Sean Lavallee said the way the company’s operators handled the calls raised questions about the protection plan and its call center.
“It’s like if you had a machine at home — a washing machine or an HVAC machine — and you had some kind of protection plan on it, and it broke down,” said Lavallee, a communication and geographical sciences major. “And then the company just comes, gives you the parts and says, ‘OK, now you put it together; you do it.’”
Lavallee signed up with Experian last week, he said, but when he asked what the coverage consisted of, he was shocked to hear a sales pitch for a more extensive — and more expensive — credit monitoring plan.
“When I talked to the guy, I asked him, ‘So I’m fully protected now?’ and he goes, ‘No, you’re not, but for this much extra a month, you’ll be fully protected,’” Lavallee said. “What is this, a free trial thing?”