Can credit bureaus be trusted with consumers' data? An investigation conducted by security blogger Brian Krebs calls the practices of these stewards of consumer credit histories into question.
According to Krebs, an identity theft service called Superget.info that sold the bank account data, credit card data, Social Security numbers and drivers' license numbers of millions of Americans purchased much of its data from credit bureau Experian, or more precisely a company Experian bought in March 2012 called Court Ventures. Court Ventures is an aggregator of public records data, obtained from state and county sources.
The blog states that after the acquisition, the alleged proprietor of Superget.info paid Experian for monthly data access charges using wire transfers sent from Singapore, which should have raised red flags at the top-three credit bureau, which is based in Costa Mesa, Calif.
Experian offered American Banker this comment in response to the blog's charges (it provided the identical language to Brian Krebs):
"The suspect in this case obtained access to US Info Search data through Court Ventures prior to the time Experian acquired the company. To be clear, no Experian database was accessed. Experian acquired Court Ventures in March, 2012 because of its national public records database. After the acquisition, the US Secret Service notified Experian that Court Ventures had been and was continuing to resell data from US Info Search to a third party possibly engaged in illegal activity. Following notice by the US Secret Service, Experian discontinued reselling US Info Search data and worked closely and in full cooperation with law enforcement to bring Vietnamese national Hieu Minh Ngo, the alleged perpetrator, to justice. Because of the ongoing federal investigation, we are not free to say anything further at this time."
Experian did not respond to a query about why it didn't question the wire transfers from Singapore, when its service is geared toward U.S. companies. It also did not respond to a question about what the company is doing to prevent future breaches.