The company highlights the fact that its own databases have not been accessed

Apr 7, 2014 08:08 GMT  ·  By

There’s a lot of controversy regarding the data breach involving Experian-owned Court Ventures. The company has published a couple of statements to clarify what it calls “inaccurate information” circulating in the media.

In case you’re not familiar with the story, here’s some background. A Vietnamese national responsible for running an identity theft service tricked a company called US Info Search into giving him access to customer data. US Info Search had an arrangement with Court Ventures to give each other access to information.

At some point, Experian acquired Court Ventures. However, it failed to properly vet it, so the owner of the identity theft service, 24-year-old Hieu Minh Ngo, continued to have access to Court Ventures’ databases, through US Info Search, for several months after the company was purchased by Experian.

Experian highlights the fact that its own customer databases haven’t been accessed, and that it’s only involvement in the incident is that it purchased the assets of Court Ventures. Furthermore, Experian clarifies that although the breached database contains 200 million records, not all of them have been accessed.

The company also emphasizes the fact that it stopped the sale of the data as soon as it was notified by law enforcement of the breach.

However, experts say that Experian is not completely “innocent” in this entire story. As Brian Krebs highlights, Experian should conduct due diligence on the organization it acquires. In this case, it not only failed to properly vet Court Ventures before the acquisition, but even for several months after.

The fact that Ngo had bought information more than a year before Experian acquired Court Ventures means that there should have been enough evidence to unmask the fraudulent activities.

As Krebs points out, although its own databases haven’t been accessed, Experian has allowed a criminal service to purchase information from one of its companies.

It’s totally possible that not all 200 million records have been accessed, but Ngo did have 1,300 customers, who paid him a lot of money for information. This means that a large number of records were accessed.

Even worse, none of the individuals affected by this data breach has been notified, mainly because the companies involved in the incident still haven’t identified the victims. On the other hand, as DataBreaches highlights, Experian representatives told Senator Rockefeller’s committee in December 2013 that they knew who the victims were and promised to protect them.

Experian is suing the former owners of Court Ventures “for permitting the sale of US Info Search’s data to Ngo, and intends to hold those individuals fully responsible for their conduct in permitting the sale of data to an identity thief unbeknownst to Experian.”