- U.S. says Vietnamese man made $2 million on illegal data sales
- ID theft seen as next wave in consumer crime by U.S. officials
Stealing credit card information had become a grind. The hacker was spending 12 hours a day hunched over a keyboard, scanning the Internet for weaknesses he could exploit to pilfer data he’d sell for increasingly meager sums.
And so Hieu Minh Ngo began looking for another scam. What the Vietnamese hacker discovered transformed him into one of the most prolific identity thieves in U.S. history. All he needed was a web portal and a bit of social engineering. After that, he said, your information belonged to him.
Over almost two years, according to U.S. officials and court records, Ngo made $2 million by providing illegal access to a massive database of personal information to hundreds of criminals. It was so easy, he said, that he sometimes labored no more than an hour or two a day.
“I made a lot of money that I have never seen in my life,” Ngo, 26, said in a telephone interview from a federal detention center in Brooklyn. “I was living in an apartment, a posh one. I even changed cars every year. I had a large TV. Oh, I loved vacations. I went on lots of vacations, the best resorts.”
For U.S law enforcement, Ngo’s case highlights a new nightmare of the information age. As retailers and credit card companies strengthen security following high-profile data thefts, U.S. officials are increasingly concerned that more criminals will simply follow Ngo’s example and seek the ingredients -- names, dates of birth and social security numbers -- necessary to take over an identity and commit staggering levels of fraud.
The risk to individual consumers is far greater than simply having a credit card stolen. As many as 17.6 million U.S. residents were identity theft victims in 2014, at a cost of $15.4 billion, according to the latest Justice Department report on the problem. Fixing devastated credit scores can be far more time-consuming and frustrating than simply replacing a purloined credit card.
“This is the next wave,” said U.S. Secret Service Agent Matthew O’Neill, who spearheaded the investigation into Ngo and brought him to justice. “What Americans may not understand is that it’s really, really easy to buy this information. And once it’s stolen, it’s nearly impossible to be sure that you can reclaim your stolen identity.”
It took O’Neill, a veteran of hacking investigations, more than a year to identify and arrest Ngo, who pleaded guilty in 2014 to wire and identity fraud, among other charges. Ngo, whose name is pronounced “No,” was sentenced in 2015 to 13 years in federal prison for orchestrating a scheme that permitted at least 1,300 criminals to run three million queries against a commercial database containing records on at least 200 million Americans.
Ngo said from jail in more than a dozen phone and e-mail interviews in January and February that he got into hacking as a teenager and even wrote e-books describing how to commit computer fraud. He said he was sharing his story in part as a cautionary tale to others who might be tempted by the fast money of online crime.
A 2012 photo shows Ngo to be a slender man with an easy smile, a penetrating gaze and a dark thatch of hair. The son of the owners of an electronics store in the fishing town of Cam Ranh, the site of a U.S. Naval port during the Vietnam War, he became enamored of computers at a young age.
“I used to take out the mainboards, motors and batteries from other machines and make something creative like homemade fans, lights,” he said.
Since his family couldn’t afford Internet service, he visited cyber cafes where he scoured the Web to learn how to build a personal computer. By age 16, he was installing key-logging software onto Internet cafe computers “to find out interesting stuff like e-mail accounts, personal information,” he said.
“Again, just for fun,” he added, “not for money.”
For Ngo, the money came in high school, when he said he hacked retailers’ websites for credit card information. On some days, he said he took in as much as $10,000 -– which he spent on dinners, electronics, cars and girls.
In 2009, his parents sent him to a university in New Zealand to learn more about computers, but Ngo said he couldn’t kick the hacking habit. He broke into his school’s website, as well as those of retailers, and he was caught re-selling goods he had purchased with stolen credit cards.
He left New Zealand and returned home, where he struggled with what to do next.
“I was lost and so mad at myself,” he said. “I told myself I would never do it again.”
While attending a university in Vietnam, he grew bored and again began hacking, though pilfering credit card information was getting progressively harder. One afternoon in 2010, Ngo said, he was chatting with others in an underground hacking forum when one participant suggested that stealing U.S. Social Security numbers would be more lucrative.
Ngo began trawling the Internet for vulnerable companies and hacked one in New Jersey that owned a database of consumer information. He was soon running queries for criminals and selling them the data.
“I said, ‘Wow, it’s good money,”’ he said.
Not long after penetrating the company’s computers, he said he had what he called “an aha! moment” to improve his efficiency: simply build a website to automate the queries for his customers.
He hired Web designers and launched his site in October 2010. After a few weeks, however, the New Jersey firm he had victimized discovered it had been hacked and plugged its security hole. Ngo was looking for another victim when he came across Court Ventures, a California-based data broker that aggregated and repackaged information from public records.
He e-mailed the firm asking to set up an account as a private detective based in Singapore who needed to conduct background checks. After supplying doctored records, he had obtained from a private investigator whose computer he had hacked, he was granted access for 12 cents a search, according to court records.
Court Ventures also had a data-sharing agreement with U.S. InfoSearch, a Columbus, Ohio-based company that owns databases containing billions of such records. It was U.S. InfoSearch data that Ngo and his clients ended up searching and downloading, according to court documents.
In March 2012, Experian Plc –- the Dublin-based data credit-scoring giant -– purchased Court Ventures. In a statement, Gerry Tschopp, a senior vice president of public affairs at Experian, said the data theft carried out by Ngo started before his company acquired Court Ventures.
After learning of the scam from the Secret Service in late 2012, Experian stopped reselling U.S. InfoSearch data, Tschopp said. The company “worked closely and in full cooperation with law enforcement to bring Ngo to justice,” he said. “To be clear, no Experian database was accessed.”
U.S. InfoSearch Chief Executive Officer Marc Martin said Court Ventures and Experian missed warning signs with Ngo and sold the data to him “without our knowledge or consent.” He emphasized that Ngo never gained access to U.S. InfoSearch’s servers or its platform.
“We are not responsible for the sale of data by Experian and Court Ventures to Ngo, and he should never have been granted access to their systems,” Martin said in an e-mail.
Ngo said he required payment (usually about $1 per file download) through Liberty Reserve, a now-defunct digital currency that was favored by fraudsters. Over the course of the scheme, he said, he made about a $400,000 profit -- an estimate that U.S. investigators called conservative. U.S. authorities say he generated revenue of about $2 million.
For about a year, Ngo said, he enjoyed the high-life, driving a BMW and eating at the best restaurants. He also helped his parents pay off some debt and took his family on vacations.
Then, in November 2011, cyber-security blogger and consultant, Brian Krebs, posted an article exposing Ngo’s “fraudster-friendly site.”
“That’s when I began getting nervous,” Ngo said.
He changed the website’s name in a futile effort to avoid detection by authorities. What he didn’t know was that Krebs’s article had caught the attention of O’Neill, the Secret Service agent.
Using search warrants and other investigative methods, O’Neill eventually identified Ngo and figured out that Experian was the unwitting source of his information. Experian shut down Ngo’s access to its records after being alerted by the Secret Service.
As Ngo raced to find new sources of personal data, he received e-mails from a hacker purporting to be a powerful player in the data field. What he didn’t know was that the hacker was a suspect in another one of O’Neill’s cases and was cooperating with the agent to receive leniency in an upcoming sentencing.
The hacker promised Ngo he could help him restart his identity theft business. To cement their deal, the hacker wrote, they had to meet in person.
Ngo rejected meeting in New Zealand, worried he could be arrested and prosecuted for previous wrongdoing. He was also concerned he might be extradited to the U.S. and charged in connection with his identity theft scam.
Yet he agreed to meet in Guam. Not long after stepping off the plane in February 2013, Ngo was put in handcuffs.
“That was dumb,” he said. “I should have known it was part of the United States. I only really realized that when we landed.”