News & Resources

Even identity theft protection companies are vulnerable to attacks

Oct 30, 2013 Dave King

Even identity theft protection companies are vulnerable to attacks

Identity theft is a problem that is not likely to go away any time soon, especially with more and more Internet-savvy users entering the dangerous world of cybercrime each day. Adding to these worries is a new report by investigative site KrebsOnSecurity, which found that prominent credit bureau Experian unknowingly sold consumer data to disreputable website A haven for hackers and predators looking to illegally obtain sensitive consumer information, offers users the ability to search through fraudulently acquired social security cards and related information, such as citizens' birthdays, drivers licenses and more.

Scam origins

KrebsOnSecurity breaks down the scamming process conducted by founders, who run the website from Vietnam. The trouble for Experian began when the credit bureau purchased smaller company Court Ventures. Court Ventures had previously struck a deal with what it believed to be American private investigators who wished to access the business' database. These private investigators later turned out to be the owners of, who published information from the database on their website, unbeknownst to Court Ventures. Even after Experian purchased the company, they detected nothing suspicious about the agreement reached between this third party and Court Ventures and even continued to receive payments from the "investigators." The credit bureau was under the impression that these payments, in the form of wire transfers, were being exchanged for information that would help prevent identity theft and fraud.

Experian was first alerted to this scam when a U.S. Secret Service agent called and disclosed that he had gotten a subpoena against them in relation to an investigation of the deal with the alleged private investigators. The credit bureau fully cooperated with the government to get to the bottom of this mysterious pact and discover who the true culprits of the misappropriation of data were.

Thousands of consumers put their trust in Experian as a champion of identity theft protection, so this scandal came as a shock to many. Gartner blogger Avivah Litan recently claimed that the scam reinforces the idea that "there is no data privacy anymore." Are businesses and consumers alike supposed to get used to the notion that nothing they do is safe from the preying eyes of data hackers? While it is undoubtedly more difficult for the average person to detect Internet users intending to steal their personal information, companies such as Experian sell identity theft protection products and yet are still vulnerable to attacks by malicious hackers. Large businesses dealing with vast amounts of personal data need to thoroughly vet any third parties who request consumer information from them, as an overly-trusting approach could lead to disasters such as these.