Class Action: Experian Sold Private Data to Identity Thief

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

Experian Data Corp. was hit with a class action lawsuit in a California federal court, alleging that the credit reporting agency sold highly sensitive consumer information to an identity thief.

Plaintiffs Maudie Patton, Jacqueline Goodridge, and Virginia Kaldmo, who are all from different states, claim in their class action lawsuit that Experian sold their information to Vietnamese hacker Hieu Minh Ngo, who they say is a “known and now convicted identify thief, black market PII [personal identifiable information] trafficker, and computer hacker.”

After the information was sold to Ngo, who was allegedly posing as a private investigator, he then allegedly sold the private consumer information to “his customers, who themselves are identity thieves, in a scheme that lasted for several years,” in what is known as the “security lapse.”

The information that Ngo had access to included Social Security numbers, addresses, birth dates, vital statistics, bank information, marital status, tax history and more.

As a result of the data theft, all three plaintiffs claim that one of identity thieves that Ngo sold their information to, named Lance Ealy, used it to file fraudulent tax returns in their names.

“The Security Lapse is one of the largest data security lapses involving wrongfully disclosed and compromised [personal identifiable information],” the plaintiffs explain in their class action lawsuit.

In March 2012, Experian acquired Court Ventures, Inc., which included the CVI Database. CVI collected court data, including criminal records, civil suits, judgements, state tax liens, marriage licenses, death certificates, business licenses, and bankruptcy petitions.

In 2010, Ngo was posing as a private investigator from Singapore and went under the name Jason Low and claimed to be doing business under a group called SG Investigators.

“According to the ruse, SG Investigators was employed by a large company to conduct background checks on job applicants,” the Experian class action lawsuit explains.

However, the plaintiffs claim, that through CVI, Ngo actually had “access to more than just CVI’s databases. At all relevant times, CVI had a reciprocity agreement with the Ohio-based data brokers U.S. Info Search, whereby the two entities’ shared information from, and access to, each other’s databases. As such, CVI and U.S. Info Search subscribers had complete access to both companies’ U.S. consumer PII databases.”

This means that Ngo had access to the personal information of more than 200 million Americans, the class action lawsuit says. For this access, Ngo paid CVI $15,000 per month, which was wired from a bank account in Singapore.

Ngo began selling the personal information in July 2010 “through fraudster websites, Superget.info and findget.me,” which were both owned and operated by Ngo. Ngo allegedly made $2 million selling the information he obtained from CVI and U.S. Info Search.

“The websites accepted payment in the form of virtual currency, including Liberty Reserve, which the federal government alleges is responsible for laundering over $6 billion of proceeds from criminal activity,” the Experian class action lawsuit says.

Ngo was arrested in February 2013 by the Secret Service, and on July 14 Ngo was sentenced to 13 years in prison.

The plaintiffs claim that there were several red flags that Experian should have been aware of regarding the unauthorized and unlawful activity that CVI was engaged in when it acquired the firm in 2012.

“For example, CVI represented to Experian that virtually all of the data it sold was publicly available criminal history information, and thus unregulated,” the Experian data breach class action lawsuit says. “But, Experian later learned prior to the purchase that CVI, in fact, accessed certain personal information and, therefore, was subject to regulation. Prior to acquiring CVI, Experian learned that CVI misrepresented its regulatory compliance regarding such information.”

Experian was also aware of CVI’s relationship with SG Investigators and the $15,000 paid to CVI for access to the personal information, according to the class action lawsuit.

“Based on this information, Experian should have further investigated CVI’s regulatory compliance, Ngo, and SG Investigators’ operations,” the plaintiffs claim.

If Experian had done so, the plaintiffs contend that the credit reporting agency “would have discovered Ngo’s illegal identity fraud enterprise utilizing CVI’s consumer PII data bases, and shut it down.”

However, they say that Experian, either intentionally or recklessly “failed to do so … and reaped the financial benefits of the acquisition of CVI for another ten months.”

During that 10 month period, Ngo continued to pay CVI for access to its data bases.

The data breach class action lawsuit also claims that Experian learned during that time “that CVI was unlawfully obtaining public record information through a practice known as ‘web scraping,'” in which it gathered information by violating the terms of use of websites it used for collecting data by working around and sidestepping their technological barriers to acquire information.

This discovery, also, “should have caused Experian to launch a thorough and comprehensive internal investigation of CVI to right the ship.”

Patton, Goodridge and Kaldmo claim in their class action lawsuit that Experian violated the Fair Credit Reporting Act, California business law and the Declaratory Judgement Act.

They are asking for statutory damages and injunctive relief, which will include: notifying each American who had their information compromised by Ngo, sold to Ngo or was compromised in some way during the course of the security lapse. Those affected should also be given identity theft and credit protection as a result of the actions.

The plaintiffs are represented by Timothy G. Blood and Paula M. Roach of Blood Hurst & O’Reardon LLP, Erich P. Schork and Ben Barnow of Barnow and Associates PC and Richard Coffman of the Coffman Law Firm.

There is no attorney information available for Experian at this time.

The Experian Data Breach Class Action Lawsuit is Patton et al. v. Experian Data Corp., Case No. 8:15-cv-01142, in the U.S. District Court for the Central District of California.