(Bloomberg) -- Stealing credit card information had become agrind. The hacker was spending 12 hours a day hunched over akeyboard, scanning the Internet for weaknesses he could exploit topilfer data he’d sell for increasingly meager sums.

And so Hieu Minh Ngo began looking for another scam. What theVietnamese hacker discovered transformed him into one of the mostprolific identity thieves in U.S. history. All he needed was a webportal and a bit of social engineering. After that, he said, yourinformation belonged to him.

Over almost two years, according to U.S. officials and courtrecords, Ngo made $2 million by providing illegal access to amassive database of personal information to hundreds of criminals.It was so easy, he said, that he sometimes labored no more than anhour or two a day.

“I made a lot of money that I have never seen in my life,” Ngo,26, said in a telephone interview from a federal detention centerin Brooklyn. “I was living in an apartment, a posh one. I evenchanged cars every year. I had a large TV. Oh, I loved vacations. Iwent on lots of vacations, the best resorts.”

For U.S. law enforcement, Ngo’s case highlights a new nightmareof the information age. As retailers and credit card companiesstrengthen security following high-profile data thefts, U.S.officials are increasingly concerned that more criminals willsimply follow Ngo’s example and seek the ingredients — names,dates of birth and social security numbers — necessary to takeover an identity and commit staggering levels of fraud.

‘Next wave’

The risk to individual consumers is far greater than simplyhaving a credit card stolen. As many as 17.6 million U.S. residentswere identity theft victims in 2014, at a cost of $15.4billion, according to the latest Justice Department report on theproblem. Fixing devastated credit scores can be far moretime-consuming and frustrating than simply replacing a purloinedcredit card.

“This is the next wave,” said U.S. Secret Service Agent MatthewO’Neill, who spearheaded the investigation into Ngo and brought himto justice. “What Americans may not understand is that it’s really,really easy to buy this information. And once it’s stolen, it’snearly impossible to be sure that you can reclaim your stolenidentity.”

13 years

It took O’Neill, a veteran of hacking investigations, more thana year to identify and arrest Ngo, who pleaded guilty in 2014 towire and identity fraud, among other charges. Ngo, whose nameis pronounced “No,” was sentenced in 2015 to 13 years in federalprison for orchestrating a scheme that permitted at least 1,300criminals to run three million queries against a commercialdatabase containing records on at least 200 million Americans.

Ngo said from jail in more than a dozen phone and e-mailinterviews in January and February that he got into hacking as ateenager and even wrote e-books describing how to commit computerfraud. He said he was sharing his story in part as a cautionarytale to others who might be tempted by the fast money of onlinecrime.

Related: The 10 most expensive data breaches todate

A 2012 photo shows Ngo to be a slender man with an easy smile, apenetrating gaze and a dark thatch of hair. The son of the ownersof an electronics store in the fishing town of Cam Ranh, the siteof a U.S. Naval port during the Vietnam War, he became enamored ofcomputers at a young age.

“I used to take out the mainboards, motors and batteries fromother machines and make something creative like homemade fans,lights,” he said.

Cyber cafes

Since his family couldn’t afford Internet service, he visitedcyber cafes where he scoured the Web to learn how to build apersonal computer. By age 16, he was installing key-loggingsoftware onto Internet cafe computers “to find out interestingstuff like e-mail accounts, personal information,” he said.

“Again, just for fun,” he added, “not for money.”

For Ngo, the money came in high school, when he said he hackedretailers’ websites for credit card information. On some days, hesaid he took in as much as $10,000 — which he spent ondinners, electronics, cars and girls.

In 2009, his parents sent him to a university in New Zealand tolearn more about computers, but Ngo said he couldn’t kick thehacking habit. He broke into his school’s website, as well as thoseof retailers, and he was caught re-selling goods he had purchasedwith stolen credit cards.

He left New Zealand and returned home, where he struggled withwhat to do next.

“I was lost and so mad at myself,” he said. “I told myself Iwould never do it again.”

‘Good money’

While attending a university in Vietnam, he grew bored and againbegan hacking, though pilfering credit card information was gettingprogressively harder. One afternoon in 2010, Ngo said, he waschatting with others in an underground hacking forum when oneparticipant suggested that stealing U.S. Social Security numberswould be more lucrative.

Ngo began trawling the Internet for vulnerable companies andhacked one in New Jersey that owned a database of consumerinformation. He was soon running queries for criminals and sellingthem the data.

“I said, ‘Wow, it’s good money,”’ he said.

Not long after penetrating the company’s computers, he said hehad what he called “an aha! moment” to improve his efficiency:simply build a website to automate the queries for hiscustomers.

Granted access

He hired Web designers and launched his site in October 2010.After a few weeks, however, the New Jersey firm he had victimizeddiscovered it had been hacked and plugged its security hole. Ngowas looking for another victim when he came across Court Ventures,a California-based data broker that aggregated and repackagedinformation from public records.

He e-mailed the firm asking to set up an account as a privatedetective based in Singapore who needed to conduct backgroundchecks. After supplying doctored records, he had obtained from aprivate investigator whose computer he had hacked, he was grantedaccess for 12 cents a search, according to court records.

Related: Here are 25 tips to both prevent and manage a cyberattack

Court Ventures also had a data-sharing agreement with U.S.InfoSearch, a Columbus, Ohio-based company that owns databasescontaining billions of such records. It was U.S. InfoSearch datathat Ngo and his clients ended up searching and downloading,according to court documents.

‘Full cooperation’

In March 2012, Experian Plc — the Dublin-based datacredit-scoring giant — purchased Court Ventures. In astatement, Gerry Tschopp, a senior vice president of public affairsat Experian, said the data theft carried out by Ngo started beforehis company acquired Court Ventures.

After learning of the scam from the Secret Service in late 2012,Experian stopped reselling U.S. InfoSearch data, Tschopp said. Thecompany “worked closely and in full cooperation with lawenforcement to bring Ngo to justice,” he said. “To be clear, noExperian database was accessed.”

U.S. InfoSearch Chief Executive Officer Marc Martin said CourtVentures and Experian missed warning signs with Ngo and sold thedata to him “without our knowledge or consent.” He emphasized thatNgo never gained access to U.S. InfoSearch’s servers or itsplatform.

“We are not responsible for the sale of data by Experian andCourt Ventures to Ngo, and he should never have been granted accessto their systems,” Martin said in an e-mail.

Liberty reserve

Ngo said he required payment (usually about $1 per filedownload) through Liberty Reserve, a now-defunct digital currencythat was favored by fraudsters. Over the course of the scheme, hesaid, he made about a $400,000 profit — an estimate that U.S.investigators called conservative. U.S. authorities say hegenerated revenue of about $2 million.

For about a year, Ngo said, he enjoyed the high-life, driving aBMW and eating at the best restaurants. He also helped his parentspay off some debt and took his family on vacations.

Then, in November 2011, cyber-securityblogger and consultant, Brian Krebs, posted an article exposingNgo’s “fraudster-friendly site.”

“That’s when I began getting nervous,” Ngo said.

He changed the website’s name in a futile effort to avoiddetection by authorities. What he didn’t know was that Krebs’sarticle had caught the attention of O’Neill, the Secret Serviceagent.

Ngo identified

Using search warrants and other investigative methods, O’Neilleventually identified Ngo and figured out that Experian was theunwitting source of his information. Experian shut down Ngo’saccess to its records after being alerted by the SecretService.

As Ngo raced to find new sources of personal data, he receivede-mails from a hacker purporting to be a powerful player in thedata field. What he didn’t know was that the hacker was a suspectin another one of O’Neill’s cases and was cooperating with theagent to receive leniency in an upcoming sentencing.

The hacker promised Ngo he could help him restart his identitytheft business. To cement their deal, the hacker wrote, they had tomeet in person.

Related: Technology makes fraud easier, says former conartist

Ngo rejected meeting in New Zealand, worried he could bearrested and prosecuted for previous wrongdoing. He was alsoconcerned he might be extradited to the U.S. and charged inconnection with his identity theft scam.

Yet he agreed to meet in Guam. Not long after stepping off theplane in February 2013, Ngo was put in handcuffs.

“That was dumb,” he said. “I should have known it was part ofthe United States. I only really realized that when we landed.”

Check us out on Facebook and give us a Like!

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.