Experian defends database security practices in face of investigations

Experian: 2,500 customer records exposed in 2006.

TransUnion: 3,623 in 2005.

And beyond those, listed again and again in the lists at DataLossDB.org, dating back to 2005 and still going strong today, are dozens of instances of an “unknown” number of names, addresses, dates of birth, social security numbers, and driver’s license numbers accessed from Equifax, Experian, and TransUnion, spread out in breaches that span the years.

Experian, for one, is defending its security practices after Bloomberg published a report late last month about flaws in how credit reporting agencies protect their databases.

In that report, Bloomberg’s Jordan Robertson tallied 86 data breaches since 2006 that demonstrate how attackers avoid directly targeting the credit reporting agencies, instead going after affiliated businesses – such as banks, auto dealers and even a police department – that rely on the agencies for background credit checks.

Those breaches lead to the theft of almost 15,500 credit reports since 2006.

As a result of Robertson’s report, Ireland’s Office of the Data Protection Commissioner, which enforces privacy law in the country, is now investigating Experian’s security practices.

To breach Experian, hackers are known to have broken into computer networks of its customers, stealing their passwords to access credit reports online.

Ireland’s regulators aim to find out whether Experian can be held responsible for failing to detect such fraud.

A spokesman for Experian declined to comment, but told Robertson in an email that the breaches were:

"isolated security issues experienced by a small number of our clients in North America involving US consumers under US data-protection jurisdiction."

In fact, Experian’s clients bear the responsibility to monitor and maintain the security of their own systems and credentials, the spokesman said.

The spokesman said that Experian, for its part, uses:

"sophisticated technology to detect anomalies that might indicate suspicious activity in systems access, which we immediately flag to the client and, when appropriate, to consumers and law enforcement."

Whether such “sophisticated technologies” are enough is a question that’s under investigation by both houses of the US Congress, which are looking into data collection (and, potentially, security) practices of Experian, Equifax and TransUnion.

At least one of the stories of breached customers underscores how Experian could well be held accountable for database breaches.

Abilene Telco Federal Credit Union, a small bank in west-central Texas, had its online password to Experian stolen last year. In lightning-fast time, 847 credit reports were stolen, including those from people who’d never done business with the bank.

As Robertson writes, Experian should have been alerted to fraud because the number of credit reports exploded beyond the bank’s typical monthly draw: usually, it had a monthly bill of $100 or less, but the fraudulent transactions sent that up to $3,493.73.

On top of that, the attack began on a day when the bank was closed.

Robertson may well have tallied one slice of the pie, but the truth is, nobody can say for sure how many credit-reporting agency records have been compromised, because the agencies’ lips are just about glued shut.

As the New York Times reported about database marketing company Acxiom, beyond personally identifiable information such as social security numbers, name, address, credit card information and the like, data aggregators’ “prying eyes” look deeper than the FBI or the IRS to find information including “age, race, sex, weight, height, marital status, education level, politics, buying habits, household health worries, vacation dreams – and on and on.”

A group of US Congressional representatives in July demanded more transparency from the agencies, noting that consumers are in the dark about the identity of data brokers, how they collect personal information, and to whom they sell or provide this information.

The administrator of DataBreaches.Net, who goes simply by the title “admin” and who in April filed a complaint about Experian with the US Federal Trade Commission (FTC), says that we simply don’t know how many compromises of client logins transpire, since only a minority of US states have a central repository of breach reports, and fewer still make such reports readily available on a public site.

S/he writes:

Much of what we know about Experian’s breaches we know only because volunteers at DataLossDB.org - this blogger included - file for reports under Freedom of Information laws. Experian’s breaches would likely have continued to evade public or Congressional scrutiny because there is no national central repository of breach reports available to the public and Congress. We need to remedy that.

“Admin” lauded the efforts of lawmakers on behalf of consumers and expressed his/her hope that state attorney generals open their own investigations, to:

"determine if their residents are being adequately protected from breaches involving data-rich credit reports."

That’s a wise call to arms.

Kudos to the US lawmakers and the Irish regulators for demanding transparency.

Let’s hope this attention goes beyond a demand for transparency, though, and that at the end of the day we see attention being paid to the additional database protections that we should demand from data brokers.

The story of Abilene Telco shows that, “sophisticated” technology or no, they can be doing a lot more than just leaving security mostly up to customers.