Experian Database Compromise Leaves Hundred of Identities Vulnerable

Carolina Governor Nikki Haley promised millions of taxpayers free credit monitoring and protection from Experian after their information was stolen from the state’s department of revenue database by an international hacker. But recent reports question the security of all Americans’ identities with the credit bureaus themselves.

When computers at Texas’ Abilene Telco Federal Credit Union were compromised by hackers last year, the crooks weren’t after customers’ money. Instead, they used an employee’s password to the bank’s online Experian credit reporting account, which contains financial and personal data on more than 740 million consumers nationwide. The hackers then downloaded credit reports on 847 people, forever compromising their identities. The reports included vital information such as Social Security numbers, birthdates and financial records of the victims, who had never even done business with the small Texas bank. With such personal information, an identity thief can not only open credit or bank accounts, but get a driver’s license and obtain housing and medical treatment in a victim’s name.

Unfortunately, the September 2011 incident is not isolated. According to Bloomberg, 86 such credit bureau data breaches have occurred since 2006. Hackers don’t have to target the bureaus—Experian, Equifax and Transunion—which use multi-layered and complex fraud prevention methods. Instead, they target affiliated businesses—credit bureau customers. Organizations such as banks, car dealerships, property managers and police departments utilize credit reporting agencies for financial information and background checks.

Compromising secondary systems has led to more than 17,000 stolen credit reports since 2006, according to Bloomberg’s inspection of hundreds of notices sent to victims in six states—Maine, Maryland, New Hampshire, New Jersey, North Carolina and Vermont. Experian and TransUnion both released statements placing blame on their customers, saying they have little control over clients’ computers.

“This is profoundly important, because it illustrates a growing problem when it comes to data breaches and security—the chain is only as strong as its weakest link,” Senator Richard Blumenthal of Connecticut, a former attorney general who has investigated credit-rating agencies before, told Bloomberg in an interview. “If their customers have inadequate security practices, so do the credit bureaus.”

According to documents posted on DataLossDB.org, Experian’s database has been particularly vulnerable—it has been breached 80 times, and almost 15,500 credit reports have been compromised. Equifax’s system has been breached four times accounting for more than 1,200 stolen reports, while Transunion’s system has only been breached twice, compromising less than 500 reports. Each incident occurred when a hacker illegally obtained online log-in credentials from a credit bureau customer.

Although the credit bureaus claim no liability in the issues, the breaches shine further spotlight on current congressional investigation of bureau’s collection methods. In July, the House Bipartisan Privacy Caucus sent letters to Experian, Equifax, Transunion and other smaller bureaus seeking information about their privacy and security procedures.

Likewise, the Federal Trade Commission penalized three credit report resellers last year after compromised log-in information led to more than 1,800 stolen reports. According to the FTC, the companies were at fault because they had failed to monitor not only their customers’ security procedures, but also suspicious behavior when it occurred.

“If you are providing access through an online portal, it’s your responsibility to secure that portal,” Maneesha Mithal, associate director of the FTC’s division of privacy and identity, said in an interview.