Experian Breach Tied to NY-NJ ID Theft Ring

Last year, a top official from big-three credit bureau Experian told Congress that the firm was not aware of any consumers that had been harmed by an incident in which a business unit of Experian sold consumer records directly to an online identity theft service for nearly 10 months. Today’s post presents evidence that among the ID theft service’s clients was an identity theft and credit card fraud ring of at least 32 people who were arrested last year for allegedly using the information to steal millions from more  than 1,000 victims across the country.

Ngo's ID theft service superget.info

Ngo’s ID theft service superget.info

On March 31, 2014, 26-year-old Idris Soyemi of Brooklyn, New York pleaded guilty in a New Hampshire court to one count of wire fraud. In Soyemi’s guilty plea hearing, the prosecutor laid out how Soyemi on several occasions bought Social Security numbers, dates of birth and other personal information from an online identity theft service run by guy named Hieu Minh Ngo.

Ngo is a Vietnamese national who for several years ran an online identity theft service called superget.info. Shortly after my 2011 initial story about his service, Ngo tauntingly renamed his site to findget.me. The Secret Service took him up on that challenge, and succeeded in luring him out of Vietnam into Guam, where he was arrested and brought to New Hampshire for trial. He pleaded guilty earlier this year to running the ID theft service, and the government has been working on rounding up his customers ever since.

According to Soyemi’s guilty plea transcript (PDF), U.S. Secret Service agents seized control over Ngo’s email account in February 2013 and used it to interact with his customers. Posing as Ngo, the undercover agent reached out to Soyemi and wrote, “I’m back. You doing tax refund or credit card?”, asking Soyemi whether he was buying personal data on consumers to set up new lines of credit in their names or to file fraudulent tax refund requests with the IRS — a rapidly growing form of cybercrime. Soyemi responded, “I do credit cards but can you tell me about tax refund?” (if you missed last month’s story about an Ohio man who’s accused of using Ngo’s service to file at least 150 fraudulent tax refund requests with the IRS, check that out here).

Interestingly, Soyemi was part of a huge network of nearly three dozen people who were rounded up last year and charged with taking out new credit cards in victims’ names and then using the cards to make millions of dollars in retail purchases that were then fenced on the black market. From an April 2013 story in the Jersey Journal:

“The leaders of the group, authorities say, purchased the identities of unsuspecting victims from online brokers, who got the information from computer hackers across the United States….”

“In a process known as ‘punching,’ electronic account information from the cards’ magnetic strips would be transferred onto counterfeit cards, which were provided to “strikers” who conducted the purchases at retailers all over the Eastern Seaboard, authorities say…”

….”The investigation has identified nearly 1,000 victims across the country and millions of dollars in phony transactions, authorities say.”

“Authorities say the suspects spent the proceeds on luxury cars, high-end jewelry and other lavish expenses. Some of the money was additionally sent to accounts in Nigeria, authorities say.”

Further tying this group to Ngo’s service is a four-count indictment (PDF) lodged against another man named in that identity theft ring roundup by the New Jersey prosecutor’s office: Oluwaseun Adekoya, 25, of Sewaren, NJ. Adekoya’s indictment makes numerous references to his alleged purchase of hundreds of consumer records from an online identity theft service that was taken over by U.S. Secret Service agents in February 2013 (recall that in Soyemi’s guilty plea hearing government prosecutors said that in that same month undercover Secret Service agents assumed control of the email account tied to Ngo’s identity theft service).

According to the government, Adekoya was a ringleader among the group who directed the activities of several men, including Atlanta, Ga. resident Adebayo Adegbesan, another defendant in the identity theft ring who pleaded guilty in New Hampshire recently. A transcript of Adegbesan’s guilty plea hearing doesn’t mention Ngo, but it does reveal that the New Hampshire district court and the U.S. Attorney who is prosecuting the case — Arnold Huftalen — have their hands full processing a large number of defendants tied to the same case.

Prosecutors told the court that they’d hoped to lure Adekoya to New Hampshire after he’d arranged to collect what he believed was more than $100,000 worth of bank account information encoded onto white plastic cards that could be used to pull cash out of ATMs. Instead, Adekoya allegedly sent Adegbesan and three others to pick up the cards.

I enjoyed reading the discussion between the court and Huftalen, particularly the part about the “SODDI defense.” Here, the two are discussing the large number of defendants related to this case. Also, as it turns out, Matthew O’Neil — the U.S. Secret Service agent who came up with the plan to lure Ngo out of Vietnam and to entice his clients into traveling to New Hampshire — was recently honored with the Secret Service Agent of the Year award for his work on the case.

THE COURT: Okay. Fine. Just curious because I’ve seen a few of them come through now. Maybe related to this, maybe unrelated to this. I seem to have a number of these with you right now.

MR. HUFTALEN: I have more than I’d like, and I’m sure you do, too.

THE COURT: People are told to come up to New Hampshire and do this stuff. It’s a good approach. You end up catching a lot of people.

MR. HUFTALEN: The whole lure, I mean, is to eliminate this SODDI defense, S-O-D-D-I, some other dude did it. When you’re talking with somebody on the computer, as you know, unless you have eyes on him on the keyboard, there’s always that reasonable doubt.

THE COURT: It’s a very effective law enforcement technique. Believe me, I’m not in any way being critical of it. I’m curious about it and I of course want to see that, to the extent I have responsibilities with respect to it, that I fulfill those responsibilities, and I’m just learning about it, trying to understand it.

MR. HUFTALEN: I don’t think you will see a whole lot more of these.

THE COURT: It seems like you have a very creative active agent who’s working with you on at least some of these cases and I just was wondering.

MR. HUFTALEN: Who was in Washington, D.C. this week to get an award because he was selected as the Secret Service Agent of the year.

THE COURT: Really. That’s what I mean. He seems like a go-getter kind of person and people like that tend to produce lots of cases.

MR. HUFTALEN: And the targets that he and I are targeting are not like the person who’s sitting here in court today.

THE COURT: They’re people above him.

MR. HUFTALEN: Way above.

Several state attorneys general are now investigating the apparent breach at Experian’s subsidiary. According to U.S. government investigators, the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search. US Info Search had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures’ data, and vice versa. Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including Mr. Ngo). For almost ten months after Experian completed that acquisition, Ngo continued siphoning consumer data and making his wire transfers.

A transcript (PDF) of Ngo’s guilty plea proceedings shows that his ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data on more than three million Americans. Meanwhile, Experian has maintained that “no Experian database was accessed” in the fraud stemming from Ngo’s identity theft service. Check out a fact-checked version of Experian’s talking points on the matter here.

Оставьте комментарий