US law enforcement teams are jointly investigating a serious data breach involing a subsidiary of credit reporting firm Experian that exposed the social security numbers of some 200 million people to potential criminal activity.
The focus of the multistate investigation will likely be on whether Experian and other parties followed laws requiring companies to properly secure consumer data and comply with breach disclosure rules.
News of the breach surfaced as the Obama administration seeks to strengthen the government's ability to compel businesses to adequately secure consumer data. Federal Trade Commission Chairwoman Edith Ramirez on Wednesday asked the Senate Homeland Security committee to pass national breach notification legislation.
A spokesman for Experian declined comment on the probe, saying the company does not comment on such investigations as a matter of policy.
Vietnamese national Hieu Minh Ngo last month pleaded guilty in New Hampshire federal court to running an underground website that offered clients access to personal data of Americans including social security numbers, which could be used for identity theft and other types of financial fraud.
Federal authorities say he obtained social security numbers through a US firm known as Court Ventures, which provides customers with access to court records.
It also offered them access to a database of social security numbers of some 200 million Americans through a data-share arrangement with another firm, known as US Info Search which provides data to law enforcement, collection agencies, mortgage processors and other companies that need information to verify identities.
3.1 million queries
Ngo obtained an account with Court Ventures sometime before March 2012, when Experian bought the firm's assets, by posing as a Singapore-based private investigator, according to court documents.
Prosecutors say Ngo's customers used Court Ventures to make some 3.1 million queries of the US Info Search database over an 18-month period. Experian spokesman Gerry Tschopp told Reuters access to the data ended on December 4, 2012, when his company turned off the Court Ventures portal that Ngo used to access the database.
Authorities have not said how many people's data was accessed through those queries, each of which could have potentially included multiple records or returned no data. They have not identified any specific cases in which stealing of data through Court Ventures has led to identity theft or other crimes.
Officials with both Experian and US Info Search say they have not been able to ascertain which records were accessed by Ngo's customers and are therefore unable to notify victims.
"We are actively pursuing the facts and we are working to help uncover what records may have been affected," Tschopp said.
US Info Search CEO Marc Martin said he cannot identify the victims of the breach because he is unable to ascertain which queries that came from Court Ventures were from Ngo's account and which were from other clients.
"We have cooperated and assisted the authorities in their investigation from the onset and likewise urged Experian to make timely notifications," Martin said.
A spokesman for the US Secret Service declined comment. The agency investigated Ngo using undercover agents and lured him from Vietnam to Guam where he was arrested. He is awaiting sentencing in New Hampshire federal court.
Connecticut and Illinois have been leading a multistate coalition investigating the data breach at retailer Target US in which some 40 million payment card numbers and 70 million other pieces of customer data were stolen.
Target hired Experian to offer free credit monitoring services to its clients after the breach.
Ngo did not access any Experian databases, including the ones its uses for its credit monitoring products, according to Tschopp.