Skip to content
Naked Security Naked Security

ID thief who scooped data on 200 million Americans jailed for 13 years

Hieu Minh Ngo, whose websites put personal information on over 200 million US citizens up for sale, has been sentenced to 13 years in prison.

ID fraudA Vietnamese national whose websites put personal information on over 200 million US citizens up for sale has been sentenced to 13 years in prison.

Hieu Minh Ngo, 25, pleaded guilty in March 2014 to operating what is described as “a massive international hacking and identity theft scheme,” after being arrested on entering the US in February 2013.

Ngo admitted running a number of dodgy trading sites, including superget.info and findget.me, where he put up for sale bundles of personal data known as “fullz.”

The packages often included complete sets of information on individuals, including names, dates of birth, Social Security numbers, banking details and payment card data – data that crooks could use to easily defraud victims.

Ngo’s operation ran from 2007 to 2012, when a 15-count indictment was filed against him with charges including wire fraud, identity fraud, access device fraud and conspiracy charges relating to these various types of fraud.

At the time of the indictment, Ngo faced a total maximum sentence of well over 40 years.

Although the US Department of Justice’s release on the sentencing describes the source of Ngo’s data as “hacking into US businesses’ computers” and an unnamed “New Jersey-based business” as one of the hacked victims, it does not connect the data theft to data broker Experian, a link made by investigative writer Brian Krebs.

According to Krebs, Ngo acquired large amounts of personally identifiable information (PII) by posing as a US-based private investigator, and buying the information in bulk from a firm called Court Ventures, acquired by Experian while Ngo was a customer.

Much of the data sold by Ngo through his markets was used to commit US tax refund fraud, a very popular method used by cybercriminals to turn stolen personal information into hard cash.

The premise is simple – with little more than a name, address and Social Security number, scammers can file fraudulent tax returns and have the resulting payments redirected to addresses they control.

This is done early in the tax season, to ensure the scammers get their claims in before the real people they are impersonating.

The FTC offers detailed advice to people whose tax refunds are denied thanks to fraudulent claims having already been filed in their names.

The fraud has been described as a “growing epidemic,” one of the “highest priorities” for tax investigators and the “No 1 scam” seen by the IRS in 2013.

In that year, some 5 million dodgy returns were filed, claiming around $30 billion in refunds, of which some $24 billion were either stopped before being issued or recovered later, leaving $6 billion lost to scammers.

Losses through such fraud have been predicted to reach as much as $21 billion by next year.

Data sold by Ngo is thought to have resulted in the filing of $65 million in false refund claims affecting over 13,000 individuals, with Ngo making as much as $2 million from sales of data to over 1,300 clients.

At least one of those clients, Lance Ealy, will be familiar to Naked Security readers – he was brought to justice earlier this year after fleeing his trial and posting a taunting selfie on Twitter.

Another, Florida resident Derric Theoc, was jailed for 27 months after pleading guilty to attempted identity theft in October 2014. Theoc had tried to buy PII from a US Secret Service agent posing as Ngo.

With such epic amounts of money to be made from a relatively simple scam, it’s unlikely that the sentence handed down to Ngo will make a major dent in the booming trade in PII.

The tough sentence should send a signal to would-be fraudsters though, warning them that their activities are being tracked and could well result in serious jail time. Even deterring a small proportion of PII scammers is a good start.


Image of ID fraid courtesy of Shutterstock.

9 Comments

That’s not a tough sentence. Breaking all his fingers would be a start. Cutting them off would be better.

You seem to be confusing “tough” with “barbaric”. 13 years seems like a pretty long time for reselling data bought from Experian.

Stories like this are frightening. One only wishes there were a *reputable* source of those names compromised so those who wonder if they are on the list might check

John: Any info on why he got 13 years and not closer to 40?

Those “maximum permitted sentences” tend to only happen when a defendant denies the charges and forces a full (and expensive) trial, it seems those who save the prosecutors time and effort by pleading guilty can almost always expect a reduced sentence.

Even in cases where an offence carries a mandatory minimum sentence, if there’s a guilty plea any other sentences on other charges would probably be run in parallel rather than added on.

“ID thief who scooped data on 200 million Americans”

There is approximately 319 million Americans. This guy had data on 200 million of them. That’s 63% of Americans. This seems like either a hugely exaggerated number or people are not making a big enough deal about this. This is over half the country having their identity for sale. This does not seem like its accurate.

From the wording of the DoJ release, it sounds like he didn’t actually have all that data in his possession, just “fraudulently-obtained access” to it.

It wouldn’t be too extreme for a massive data-broker like Experian to have that much info, so perhaps he was just saying “give me a name and I’ll use my dodgy access to Experian data to look them up for you”, rather than “give me a name and I’ve probably got the data myself”.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?