This 25-Year-Old Vietnamese Man Stole the Identities of Nearly 200 Million Americans

Alyssa Bereznak
·National Correspondent, Technology
Updated
image

Photo: Getty Images/iStockphoto

Yet another young hacker prodigy has emerged from a far-flung corner of the Internet to demonstrate that America’s computer systems are in dire need of a security overhaul.

According to a report released Tuesday by the Department of Justice, Vietnamese citizen Hieu Minh Ngo has been given a 13-year prison sentence for breaking into the computers of American companies, stealing personal information belonging to nearly 200 million people, and selling it to other criminals online. The 25-year-old made more than $2 million in the process.

“Criminals buy and sell stolen identity information because they see it as a low-risk, high-reward proposition,” Assistant Attorney General Leslie Caldwell said in the release. “Identifying and prosecuting cybercriminals like Ngo is one of the ways we’re working to change that cost-benefit analysis.”

Between 2007 and 2013, Ngo worked from his home in Vietnam to penetrate computer systems. (The Department of Justice did not reveal the specific tactics he used.) Once he was in, he’d collect as much personal information as he could from each company’s systems: full names, addresses, phone numbers, birthdays, Social Security numbers, bank accounts, and details about credit cards. That done, he’d then advertise the identities he’d collected — which he called “fullz” — on websites he ran, including superget.info and findget.me. (Those sites are now shut down.)

Ngo also admitted that fellow cybercriminals could search those websites for stolen information about specific individuals. According to the report, more than 1,300 of Ngo’s customers around the world used this feature, entering a total of 3 million search queries.

Those criminals would then use that information to file fraudulent income tax returns: Details about 13,673 Americans, bought through his website, were used to file $65 million in such returns, according to the Internal Revenue Service.

Ngo was sentenced in a U.S. district court in New Hampshire for wire fraud, identity fraud, and access-device fraud. He was arrested in February 2013, when he visited the United States, according to NBC News.

This news comes just a month after the U.S. Office of Personnel Management announced that hackers had gained access to its systems, which housed the personal information of at least 22.1 million people. Victims of that hack included federal employees and contractors, as well as individuals close to them.

So: Personal information for millions of Americans exposed by the criminal hobby of one very crafty 20-something living thousands of miles from U.S. soil. A U.S. government that can’t protect its own employee information. Seems like it’s about time we shored up our infrastructure to protect our “fullz,” no?

Follow Alyssa Bereznak on Twitter or send her an email.