A US subsidiary of credit reference agency Experian released the personal details of more than 500,000 people to a fraudster posing as a private investigator.
The records, which included dates and places of birth, addresses, social security details, phone numbers and email addresses, were subsequently sold on to identity fraudsters for at least $2.3m between 2007 and 2013.
Vietnamese national Hieu Minh Ngo had convinced Court Ventures, an Experian subsidiary, to release the sensitive data after posing as a Singaporean private investigator.
The case highlights how "social engineering" can be used to undermine organisations' information security - people invariably being the weakest link.
Ngo paid for the data from the company, which Experian acquired outright in 2012, by wiring monthly payments from Singapore to Court Ventures in exchange for the information. The arrangement continued after Experian acquired the company and was only investigated after US intelligence agencies warned the company.
The purchasers of the information used it to file fraudulent tax returns, acquire bank loans and run up bills in the names of the victims - ruining their credit standing with organisations like Experian.
Experian, which has recently won a contract with the UK's Identity Assurance programme, said that the fraud was a one-off and did not affect its UK records.