Millions of Records Exposed in Unique Experian Data Breach

In late March 2018, the San Diego city attorney filed a lawsuit against Experian, one of the three major U.S. credit bureaus. The lawsuit contends that from 2010-2013 the Bureau provided access to the personally identifiable information (PII) of 250,000 people in San Diego and millions more to an unauthorized third party, and never informed the consumers affected about it. The suit claims this unauthorized access constitutes its state definition of a data breach and as such, they are seeking civil monetary penalties under the state’s Unfair Competition Law, as well as a court order compelling the California-based company to formally notify consumers whose personal information was stolen and to pay costs for identity protection services for those people.

A Different Kind of Breach

While many consumers assume data breaches are typically committed by hackers breaking into enterprise systems unbeknownst to the enterprise being breached, in this case Experian actually knowingly provided the data to a private investigative firm setup by Hieu Minh Ngo, a Vietnamese man who setup the bogus firm and was posing at the time as a licensed private investigator (PI) in the United States. Ngo’s fraudulent firm paid Experian thousands of dollars in cash each month for access to 200 million consumer records and then resold those records to more than 1,300 other individuals, many of whom used that data to perpetrate tax fraud and potentially other forms of identity fraud. The Internal Revenue Service reported that Ngo was connected to an identity theft ring and that the fraudsters who purchased the data from him filed more than 13,000 false returns using the hacked information, obtaining $65 million in fraudulent tax refunds.

Experian became aware of the breach in late 2012, at the latest, when Federal investigators informed them about the investigation into Ngo and the security lapse. While Experian has not yet commented on the lawsuit filed by the San Diego city attorney, they did acknowledge the exposure of information to Ngo in a 2013 Congressional hearing, when an executive from Experian told Congress that the company acknowledged that Experian failed to conduct the due diligence needed to detect Ngo’s activities.

California Data Breach Laws

While there is no federal data breach law, California has long been known as a state that takes the privacy of its residents seriously. In 2002 it became the first state to enact a state data breach notification law. The California law includes information on exactly who is under obligation to comply with the law; the definition of PII and a security breach; notification requirements; and how the law can be enforced. At the beginning of 2017, California’s breach law was expanded to stipulate that the exposure of even encrypted data that has the potential to be unencrypted must also be disclosed to consumers’.

While it does not have any bearing on this particular breach, it is interesting to note that like most other states’ data breach notification laws, California’s law addresses only the collection of PII in electronic format. This is, of course, problematic, as paper breaches can pose a substantial risk to consumers as well. In fact, a 2014 report by the California Attorney General’s Office stated that 8% of breaches affecting residents were paper breaches that would not trigger the state’s data breach law. At this time, only 10 states’ laws cover breaches involving both electronic and paper formats.

How Consumers – of All States – Should Proceed

The lawsuit estimates that as many as 30 million consumer records were breached, as such consumers of all states should be on high alert that their data may have been exposed. It is important for consumers to note too that if their data was exposed, it has been vulnerable to fraudulent use for several years. Since it has not been shared which 30 million consumers have been affected and may not be for several more years while this lawsuit resolves – if ever – we recommend all consumers take precautions to safeguard their data.

We recommend consumers monitor all activities on their financial and credit card accounts, lock down their login information by using two-factor authentication, review any information from their insurance companies and/or explanation of benefits, and we strongly urge everyone to sign up for an identity protection service that includes credit and identity monitoring. Unfortunately, Experian is not offering free identity protection services to consumers whose information was exposed in this breach at this time – though the City Attorney’s suit is compelling the company to do so, as well as formally notify consumers whose personal information was stolen.

We also caution consumers to be weary that not all monitoring services will protect them equally. We encourage individuals who are evaluating identity protection services, and businesses who are evaluating such third-party services to offer, to compare the monitoring capabilities and the quality of the customer service.

Comprehensive monitoring services should include internet surveillance, compromised credential monitoring, and credit monitoring. The monitoring should also include alerts so that if a customer’s information is detected on the dark web, they can quickly assess and work with resolution experts to minimize any impact.

Some recommended information to monitor includes:

  • Social Security number
  • Email addresses
  • Date of birth
  • Debit/credit cards
  • Bank account numbers
  • Insurance card/policy number
  • Drivers’ license number
  • Loyalty card numbers
  • Affinity card numbers
  • Passport number

After major breaches like this fill the news, it is also common for those affected to receive an influx of phishing emails supposedly from the breached organization or other trusted service providers. Consumers should be particularly watchful of such emails and consider investing in additional cyber protection, like that included in our online data protection suite.

Additionally, the time may come when your customers and employees will be on the receiving end of a recent data breach notification and will need the assistance of a resolution specialist, it’s critical to ensure that the protection includes a team of experts they can rely on. It is in this service feature where most identity protection providers truly stand apart – some focus on maximizing calls per hour whereas others focus on quality of the care offered. We, proudly, are the latter. Our certified, award-winning Resolution Center teams are available 24/7, every day of the year to provide empathetic and patient assistance that puts people first.

To learn more about protecting your customers’ and employees’ data with Generali Global Assistance identity and digital protection, request a demo.