An identity theft service that prosecutors say illegally sold social security numbers, birth dates, driver license numbers, and other sensitive data for more than 500,000 people purchased much of the information from credit service Experian, according to a report published Sunday night.
The revelation, reported by KrebsOnSecurity journalist Brian Krebs, is striking because Experian is one of the three major credit services. Experian also sells its own line of services for preventing identity theft. That means the company was in a position to profit not only from the data it reportedly sold to underground service Superget.info but also from the demand the underground site created for Experian's credit-monitoring and other identity theft protection services. Sunday's report comes four weeks after Krebs reported that members of a different identity theft ring hacked into LexisNexis and two other data brokers and obtained personal information belonging to at least one million people.
Interestingly, Krebs reports that the alleged proprietor of Superget.info paid Experian for his monthly data access using wire transfers sent from Singapore. Experian, which by law is required to restrict access to private investigators and other users for "permissible purposes," should have regarded the unusual payment arrangement as a red flag that the account was being used for fraudulent purposes, according to critics. Superget.info gained access to Experian's databases by posing as US-based private investigators even though the people who ran the service were located overseas.