The City of San Diego, Calif. is suing consumer credit bureau Experian, alleging that a data breach first reported by KrebsOnSecurity in 2013 affected more than a quarter-million people in San Diego but that Experian never alerted affected consumers as required under California law.

The lawsuit, filed by San Diego city attorney Mara Elliott, concerns a data breach at an Experian subsidiary that lasted for nine months ending in 2013. As first reported here in October 2013, a Vietnamese man named Hieu Minh Ngo ran an identity theft service online and gained access to sensitive consumer information by posing as a licensed private investigator in the United States.

In reality, the fraudster was running his identity theft service from Vietnam, and paying Experian thousands of dollars in cash each month for access to 200 million consumer records. Ngo then resold that access to more than 1,300 customers of his ID theft service. KrebsOnSecurity first wrote about Ngo’s ID theft service — alternately called Superget[dot]info and Findget[dot]me — in 2011.

Ngo was arrested after being lured out of Vietnam by the U.S. Secret Service. He later pleaded guilty to identity fraud charges and was sentenced in July 2015 to 13 years in prison.

News of the lawsuit comes from The San Diego Union-Tribune, which says the city attorney alleges that some 30 million consumers could have had their information stolen in the breach, including an estimated 250,000 people in San Diego.

“Elliott’s office cited the Internal Revenue Service in saying hackers filed more than 13,000 false returns using the hacked information, obtaining $65 million in fraudulent tax refunds,” writes Union-Tribune reporter Greg Moran.

Experian did not respond to requests for comment.

In December 2013, an executive from Experian told Congress that the company was not aware of any consumers who had been harmed by the incident. However, soon after Ngo was extradited to the United States, the Secret Service began identifying and rounding up dozens of customers of Ngo’s identity theft service. And most of Ngo’s customers were indeed involved in tax refund fraud with the states and the IRS.

Tax refund fraud affects hundreds of thousands of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

In May 2014, KrebsOnSecurity reported that Ngo’s identity theft service was connected to an identity theft ring that operated out of New Jersey and New York and specialized in tax refund and credit card fraud.

In October 2014, a Florida man was sentenced to 27 months for using Ngo’s service to purchase Social Security numbers and bank account records on more than 100 Americans with the intent to open credit card accounts and file fraudulent tax refund requests in the victims’ names. Another customer of Ngo’s ID theft service led U.S. Marshals on a multi-state fugitive chase after being convicted of fraud and sentenced to 124 months in jail.

According to the Union-Tribune, the lawsuit seeks civil monetary penalties under the state’s Unfair Competition Law, as well as a court order compelling the Costa Mesa-based company to formally notify consumers whose personal information was stolen and to pay costs for identity protection services for those people. If the city prevails in its lawsuit, Experian also could be facing some hefty fines: Companies that fail to notify California residents when their personal information is exposed in a breach could face penalties of up to $2,500 for each violation.

Tags: Experian breach, findget.me, Greg Moran, Hieu Minh Ngo, Mara Elliott, superget.info