JUST OUT: Read the 2019 Gartner Magic Quadrant for IT Vendor Risk Management

From Third-Party Risk to Reality: Dissecting the 2012 Experian Data Breach

This blog is the first in a series examining the causes and effects of high-profile third-party related data breaches over the last decade. Be sure to keep watching the Risk Register blog for future installments in the series!

by Tiffiany Newsome, Threat Analyst

October 17th, 2019

I

In 2012, Experian, a credit reporting agency, acquired a company called Court Ventures, a collector and aggregator of information from public records. In doing so, Experian unknowingly inherited a Court Ventures customer who had sold other customers’ data on the dark web. This blog reviews the breach’s background, the methods the attacker used, what happened to the data, and the breach’s impact on Experian. It also offers lessons to third-party risk management practitioners for gaining visibility into third-party security controls and practices.

Data Breach Background

In March 2012, Experian acquired Court Ventures, a company that aggregates publicly available information from 1,400 local and county databases and then resells it for marketing purposes. After the acquisition, the US Secret Service contacted Experian and informed them that the US government was investigating one of Court Ventures’ customers for fronting an identity theft ring.

Methods Used

Hieu Minh Ngo, a Vietnamese hacker, was responsible for the breach. He posed as a private detective in Singapore and created a front company, US Info Search. Ngo then created an account with Court Ventures, searched its database for customer records at 12 cents a search and compiled the discovered data.

What Happened to the Data?

Ngo sold the stolen data to hackers on his dark web sites that aided identity theft. As a result, 1,300 people’s identities were stolen. Ngo made more than $2 million from selling the stolen data. In 2015, Ngo was extradited to the US and sentenced to 13 years in prison.

How the Breach Affected Experian

Even though Experian’s data was not compromised, and they denied all culpability in the breach, the company faced adverse consequences. In 2013, victims of identity theft as a result of Ngo’s actions filed a class-action lawsuit against Experian for statutory violations related to the Fair Credit Reporting Act and other regulations. One claim was that Experian failed to notify customers that their information had been compromised. The case was terminated in October 2015. 

Moreover, the breach also occurred less than a year after the US Senate Committee on Commerce, Science, and Transportation launched an investigation into how the data broker industry handled customers’ information. This bad timing exacerbated the reputational damage Experian experienced from the breach. In October 2013, the committee expanded their investigation and questioned Experian executives on the company’s customer vetting practices and Ngo’s identity theft service. Experian’s senior vice president of government affairs publicly admitted that they did not perform the necessary due diligence that would have otherwise detected Ngo’s activities.

What Third-Party Risk Management Practitioners Can Learn from the Experian Breach

There are many lessons that risk management professionals can learn from the Experian breach. Most importantly, as part of the M&A process, Experian should have conducted due diligence into Court Ventures’ internal controls and security policies to ascertain how they enabled third-party access to their data for their customers, and how that would expose Experian to business risks. This can be challenging, however, as there is generally limited visibility and a lack of centralized intel into the business health of an acquisition target. 

Prevalent delivers a single dashboard view of current and historical business intelligence for vendors, suppliers and other third-parties. This intelligence includes financial, brand, regulatory, and leadership data -- as well as information about legal actions, lawsuits, and more. In this use case, Prevalent can provide a centralized view of M&A target public activity. This, when combined with cyber scanning on the dark web and other cyber security tools, could have raised red flags regarding possible nefarious activity happening through Court Ventures. 

Our business risk monitoring solution is part of Prevalent's holistic Third-party Risk Management Platform, which integrates outside-in threat analytics with inside-out assessments of internal controls for a complete, 360-degree view of third-party risks. 

With increased regulatory activity related to information security, consumer outcry about data breaches, and the growing complexity in the business risk landscape, legal and financial repercussions resulting from third-party breaches will continue to increase. With the right measures in place, third-party risk management practitioners can help to keep their companies out of the headlines. 

For more on how Prevalent can help address complex third-party risks, request a demo of our TPRM platform