(Reuters) — A number of U.S. states are jointly investigating a data breach involving a subsidiary of Experian P.L.C. that exposed the social security numbers of some 200 million people to potential criminal activity.
A Vietnamese man last month confessed in U.S. District Court in New Hampshire to orchestrating the breach, so the focus of the multistate investigation will likely be on whether Experian and other parties followed laws requiring companies to properly secure consumer data and comply with breach disclosure rules.
"We are investigating," Maura Possley, a spokeswoman for Illinois Attorney General Lisa Madigan, told Reuters on Thursday. "It's part of a multistate investigation."
Jaclyn Falkowski, spokeswoman for Connecticut Attorney General George Jepsen, said Connecticut is also looking into the matter.
Ms. Possley and Ms. Falkowski declined comment when asked what other states were participating.
News of the breach surfaced as the Obama administration seeks to strengthen the government's ability to compel businesses to adequately secure consumer data. FTC Chairwoman Edith Ramirez on Wednesday asked the Senate Homeland Security committee to pass national breach notification legislation.
A spokesman for Experian, which is best known for providing consumer credit histories, declined comment on the probe, saying the company does not comment on such investigations as a matter of policy.
Vietnamese national Hieu Minh Ngo last month pleaded guilty in New Hampshire federal court to running an underground website that offered clients access to personal data of Americans including Social Security numbers, which could be used for identity theft and other types of financial fraud.
Federal authorities say he obtained Social Security numbers through a U.S. firm known as Court Ventures, which provides customers with access to court records. It also offered them access to a database of Social Security numbers of some 200 million Americans through a data-share arrangement with another firm, known as U.S. Info Search.
3.1 million queries
Mr. Ngo obtained an account with Court Ventures sometime before March 2012, when Experian bought the firm's assets, by posing as a Singapore-based private investigator, according to court documents.
Prosecutors say Mr. Ngo's customers used Court Ventures to make some 3.1 million queries of the U.S. Info Search database over an 18-month period. Experian spokesman Gerry Tschopp told Reuters access to the data ended on Dec. 4, 2012, when his company turned off the Court Ventures portal that Mr. Ngo used to access the database.
Authorities have not said how many people's data was accessed through those queries, each of which could have potentially included multiple records or returned no data. They have not identified any specific cases in which stealing of data through Court Ventures has led to identity theft or other crimes.
Officials with both Experian and U.S. Info Search say they have not been able to ascertain which records were accessed by Mr. Ngo's customers and are therefore unable to notify victims.
"We are actively pursuing the facts and we are working to help uncover what records may have been affected," Mr. Tschopp said.
U.S. Info Search CEO Marc Martin told Reuters he cannot identify the victims of the breach because he is unable to ascertain which queries that came from Court Ventures were from Mr. Ngo's account and which were from other clients.
The company provides data to law enforcement, collection agencies, mortgage processors and other companies that need information to verify identities.
"We have cooperated and assisted the authorities in their investigation from the onset and likewise urged Experian to make timely notifications," Mr. Martin said.
A spokesman for the U.S. Secret Service declined comment. The agency investigated Mr. Ngo using undercover agents and lured him from Vietnam to Guam, where he was arrested. He is awaiting sentencing in New Hampshire federal court.
Connecticut and Illinois have been leading a multistate coalition investigating the data breach at retailer Target Corp. in which some 40 million payment card numbers and 70 million other pieces of customer data were stolen.
Massachusetts and New York are also participating in that investigation, though representatives for those attorneys general declined to say if they would participate in a probe of the case involving Mr. Ngo, Experian and U.S. Info Search.
Target hired Experian to offer free credit monitoring services to its clients after the breach.
Mr. Ngo did not access any Experian databases, including the ones its uses for its credit monitoring products, according to Mr. Tschopp.