State attorneys general are investigating a data breach at a subsidiary of Experian that gave criminals access to consumers' bank account, Social Security and drivers' license numbers, Reuters reported Thursday.
The attorneys general from Connecticut and Illinois confirmed the probe to the news wire service, though neither would say what other states, if any, were involved.
As American Banker reported in October, the breach was first made public by security blogger Brian Krebs. He found that an identity theft service called Superget.info was purchasing much of the data on millions of Americans from a company Experian bought in March 2012 called Court Ventures and illegally selling it to third parties. Court Ventures, in turn, had purchased the data from a company called U.S. Info Search.
A spokeswoman for Experian would not discuss the multistate probe Thursday, but directed American Banker to a blog post from March 30. The post mainly reiterates what Experian told American Banker at the time the breach was uncovered.
"The suspect in this case obtained access to US Info Search data through Court Ventures prior to the time Experian acquired the company," the credit bureau says. "Experian acquired Court Ventures … because of its national public records database. After the acquisition, the U.S. Secret Service notified Experian that Court Ventures had been and was continuing to resell data from U.S. Info Search to a third party possibly engaged in illegal activity. Following notice by the U.S. Secret Service, Experian discontinued reselling U.S. Info Search data and worked closely and in full cooperation with law enforcement to bring … the alleged perpetrator to justice."
Hieu Minh Ngo, the individual mentioned in Experian's statement, pleaded guilty last month to running an identity theft service out of his home in Vietnam.