Experian is a credit bureau whose credit reports are used by countless companies, agencies and individuals.  The personal and financial information Experian collects about individuals is among the most sensitive data and should be given the highest security protections.

So it is extremely troubling to learn that one of  the companies owned by Experian sold consumer information to Hieu Minh Ngo, a Vietnamese national, who was running an online identity theft service out of his home in Vietnam.  Who broke this news?  Brian Krebs in October 2013 in one of his exclusive investigations.  Now Mr. Krebs has a follow-up story with even more details about Mr. Ngo’s crimes (krebsonsecurity.com; “U.S. States Investigating Breach at Experian”; April 3rd).

As Mr. Krebs reported, Mr. Ngo pled guilty last month to the identity theft crime. The magnitude of his theft is staggering.

Mr. Krebs read the court proceedings.  He reports that Mr. Ngo sold personal and financial information to more than 1,300 customers between 2007 and 2013.  Moreover, Mr. Krebs reveals that Mr. Ngo “…tricked an Experian subsidiary into giving him direct access to personal and financial data on more than 200 million Americans.” (see Mr. Krebs article).  The information Mr. Ngo bought came from Court Ventures, a company Experian bought in March 2012 — but Mr. Ngo was stealing the personal data for nearly ten months after the Experian purchase of that company.

Now an investigation’s been launched by multiple U.S. States into the Experian breach.  Mr. Krebs can and should be, thanked for his tireless efforts.  But the real and lingering question is: what is Experian doing to tighten its oversight of its’ subsidiary companies?