Let's review the ID theft landscape: A big business that earns millions from the buying and selling of personal information about you -- social security numbers, addresses, bank account details -- loses that information in a data breach, or maybe accidentally sells it to overseas fraudsters.

What happens next? Well, the business -- which, legally speaking, has no business relationship with you and thus can't be sued for the loss unless some immediate harm can be proven -- goes on buying and selling personal data. Consumers, however, get to keep looking over their shoulders, and bank statements, and credit card statements, wondering if some secreted stash of their personal information offered for sale via a foreign server is being bought and sold by data brokers' underground counterparts -- namely, ID thieves.

That's the situation that one InformationWeek reader I'll call "Ann" -- she asked to remain anonymous -- now finds herself in, after the news broke that an Experian subsidiary called Court Ventures was selling information directly to Superget.info, a Vietnamese fraudster service that offered customers the ability to look up millions of Americans' social security and driver's license numbers and financial information.

"I am possibly a victim of these people, but don't know for sure. In my case, seemingly MasterCard accounts were targeted -- a few fraudulent charges on one card, a few more on another a week or two later, and then the fraudulent creation of an online account on a third credit card for which I hadn't chosen to create my own online account," said Ann, who's the president of a small software company that sells point-of-sale software for restaurants. "When the fraudulent online account was created, it contained updates to my home address and phone number, among other changes. This was enough for the credit card company to forward an address change for me to the credit bureaus."

But Ann, who started her career as a Fortran and Cobol programmer and previously worked in the finance sector, said she wasn't tipped off about the ID theft until she received a letter that asked her to confirm a bogus address change. "At that point I alerted the credit bureaus, and am in the process of getting this mess fixed," she said. "Fortunately, the credit card companies caught this before fraudulent charges hit my statements, but it's a time-consuming nightmare."

One of the rubs in these situations is that when a consumer like Ann spots that her identity has been stolen, the culprit may not be clear. Indeed, her personally identifiable information (PII) may have been stolen several years ago, and only recently put to use.

Not coincidentally, when the Department of Justice announced the arrest of Vietnamese national Hieu Minh Ngo, 24, earlier this week on a 15-count indictment that included numerous identity theft and fraud charges, it alleged that over a three-year period he'd "offered for sale, sold and/or transferred to others packages of PII for more than 500,000 individuals."

... Read full story on InformationWeek


Post a comment to the original version of this story on InformationWeek