San Diego Sues Experian Over Alleged 2010 Breach

(TNS) — San Diego City Attorney Mara Elliott has filed a lawsuit against consumer credit giant Experian, contending the company suffered a massive data breach that affected 250,000 people in San Diego and millions more — but never told customers about it.

The lawsuit seeks civil monetary penalties under the state’s Unfair Competition Law, as well as a court order compelling the Costa Mesa-based company to formally notify consumers whose personal information was stolen and to pay costs for identity protection services for those people.

Experian representatives did not respond to requests to comment on the lawusit Wednesday.

The lawsuit contends that the theft of up to 3 million records began in 2010 and was orchestrated by a then-teenager in Vietnam, Hieu Minh Ngo. Ngo, posing as private investigator based in Singapore, gained access to a database of consumer information that was then held by a company called Court Ventures Inc. or CVI.

He then sold the access to the database to identity thieves and other criminals via websites on the so-called “dark web,” the suit contends. Some 1,300 thieves worldwide bought access to the data, paying Ngo $1.9 million over an 18-month period ending in February 2013.

Experian purchased CVI in 2012. The suit says the company knew or should have known about the data theft. It says CVI’s biggest customer was the bogus private investigative firm Ngo set up, which was routinely paying $15,000 per month for access to the database. Company records also showed that millions of queries to the database were being made.

Ngo was eventually arrested by federal authorities in February 2013 and pleaded guilty in March 2014 to accessing the database. He was sentenced to 13 years in prison in July 2014.

The suit faults Experian for never notifying any consumers in the state that their information had been hacked, as required by California law. Federal investigators informed Experian in late 2012 about the investigation into Ngo and the security lapse.

“There is no law enforcement investigation that has prevented notices,” the suit argues. “Rather, defendants simply refuse to provide it. “

The law carries penalties up to $2,500 for each violation, meaning the company could be facing potentially millions in fines.

The suit estimated that 30 million consumers could have had their information hacked, including an estimated 250,000 in San Diego. Elliott’s office cited the Internal Revenue Service in saying hackers filed more than 13,000 false returns using the hacked information, obtaining $65 million in fraudulent tax refunds.

©2018 The San Diego Union-Tribune Distributed by Tribune Content Agency, LLC.