Britain’s biggest online security company has been embarrassed after one of its subsidiaries released the personal details of more than 500,000 people to a fraudster who later sold them to third parties for more than £1m.
Experian, which the British government appointed to run online security for its digital services, is at the centre of a major criminal investigation in the Unites States after a Vietnamese man obtained birth dates, addresses, social security details, phone numbers and email addresses through one of its companies.
Hieu Minh Ngo, 24, pleaded guilty to multiple counts of fraud after he convinced Court Ventures, a US subsidiary of Experian, to unlawfully release a treasure trove of sensitive data.
Posing as a private investigator operating from Singapore, Mr Ngo gained access through Court Ventures to US Info Search’s database of more than 200 million Americans. He then sold on the information through two websites to 1,300 identity fraudsters, who paid at least £1.4m between 2007 and 2013.
The case is a major blow for Experian, a huge credit reference agency that was appointed by the Government to check Britons’ identities when they log on to use public services.
Mr Ngo set up the fraud by wiring monthly payments from Singapore to Court Ventures in exchange for data. The Californian company was bought by Experian in March 2012, and Mr Ngo continued to exploit the information for a further nine months until American intelligence agencies sounded the alarm.
He was arrested last year in Guam by US secret service agents after he was lured into a business deal with a man he believed could deliver huge volumes of personal and financial data for resale.
American prosecutors alleged that Mr Ngo’s customers made approximately 3.1 million inquiries about US citizens and used the information for a variety of fraud schemes, including filing fraudulent tax returns, opening new lines of credit and running up huge bills in the names of unsuspecting victims.
In December 2013, a US Senate committee questioned Experian’s senior vice president of government affairs and public policy, Tony Hadley, on how the payments could continue without anyone at Experian noticing. Mr Hadley was keen to point out that Experian was the victim in the case and that the data obtained was not controlled by them.
One of the committee members, Senator Claire McCaskill, believed that the only reason Experian checked the wire transfers from Singapore was because the authorities uncovered the fraud. She said: “I don’t know how long those wire transfers would have gone on [for].”
In a statement, Experian was adamant that the case in the US was an isolated incident and had no impact on the work undertaken for the UK’s Identity Assurance programme.
The company said: “We are treating the matter seriously and have filed a lawsuit against the former owners of Court Ventures for permitting the sale of US Info Search’s data to Ngo.”