An identity theft service that prosecutors say illegally sold social security numbers, birth dates, driver license numbers, and other sensitive data for more than 500,000 people purchased much of the information from credit service Experian, according to a report published Sunday night.

The revelation, reported by KrebsOnSecurity journalist Brian Krebs, is striking because Experian is one of the three major credit services. Experian also sells its own line of services for preventing identity theft. That means the company was in a position to profit not only from the data it reportedly sold to underground service Superget.info but also from the demand the underground site created for Experian's credit-monitoring and other identity theft protection services. Sunday's report comes four weeks after Krebs reported that members of a different identity theft ring hacked into LexisNexis and two other data brokers and obtained personal information belonging to at least one million people.

Interestingly, Krebs reports that the alleged proprietor of Superget.info paid Experian for his monthly data access using wire transfers sent from Singapore. Experian, which by law is required to restrict access to private investigators and other users for "permissible purposes," should have regarded the unusual payment arrangement as a red flag that the account was being used for fraudulent purposes, according to critics. Superget.info gained access to Experian's databases by posing as US-based private investigators even though the people who ran the service were located overseas.

An indictment unsealed last week in federal court in New Hampshire charged 24-year-old Hieu Minh Ngo of Vietnam with operating Superget.info and a similar ID theft service called findget.me. The services specialized in selling "fullz," a term online crooks use to describe a complete package of identifiable information including a person's name, address, Social Security number, birth date, place of work, duration of work, state driver's license number, mother's maiden name, bank account numbers, bank routing numbers, e-mail accounts, and account passwords. The two services acquired and sold fullz data on more than a half million people, the indictment alleged.

Ngo was arrested after federal investigators working under cover presented him with a phony business deal to lure him out of Vietnam, where they had no jurisdiction. He was taken into custody upon his arrival in Guam and then transferred to New Hampshire. If convicted on all 15 criminal charges listed in the indictment, Ngo could face a lengthy prison sentence.

Krebs's investigations raise troubling questions about the security of the world's biggest data brokers who know some of the most intimate private details on hundreds of millions of people. If these services are so vulnerable to fraud and hacking, can they really be trusted by consumers to prevent identity theft? And if we can't count on them to secure their own databases, at what point should state or federal regulators step in?

Listing image by Clint Chilcott.