You know the big three credit bureaus, right? It’s always entertaining to watch the gyrations of the random number they assign to each of us called a “credit score.” It’s the credit bureaus that cause your blood pressure to spike when you find out how inaccurate their records are after you’re turned down for a car loan or a mortgage.
The credit bureaus – Equifax, Experian, and TransUnion – also have side businesses. Why, Experian even has a security division for helping businesses cover up hacks. The Experian Data Breach Resolution website boasts that “Experian brings a high level of expertise and experience to data breach resolution. We have handled thousands of high-profile data breaches.”
That might be true! The credit bureaus have gotten tons of experience handling data breaches by losing control of their own data. And not just once! They’ve been hacked and leaked your data over and over and over and over.
The latest Experian failure is a perfect example of a company that has coasted without supervision for far too long and which does not take its job seriously at all.
Imagine that a ninja hacker could get into the Experian database and obtain a credit score and flaws in credit history for almost anyone. Yuck! They should have better security, I hear you say.
Bad news. It happened. Except it wasn’t a ninja hacker. It was a college sophomore shopping for student loans. He poked around a bit at a lender’s website and discovered that he could get his own credit score from Experian with nothing more than his name and address. There was a field for a birth date but it turned out not to matter – he got the same result if he put in all zeros. He could find the credit score for anyone by putting in their name and address. It was so trivially easy that he put together a little command line tool to automate it and named it “Bill’s Cool Credit Score Lookup Utility.” His discovery was confirmed by security expert Brian Krebs.
Experian says there is absolutely no reason to be worried. They checked the logs and no one has ever done that before in history, they promise, just lonely college sophomore Bill. And it’s not like it was a widespread problem, says Experian, there was no way to do this anywhere except this one lender’s website, nowhere else, even though the same insecure API is being used by thousands of other lenders to connect to Equifax data. They swear they’re telling the truth. Fortunately, companies with hacked data always tell the truth about how bad the hack is.
Maybe they’re right. Maybe this wasn’t yet another example of your personal data being smeared all over the dark web. There’s still something particularly annoying about this story. Let me give you a little history and some context to help you understand why this makes me so pissy.
A little history! Some context!
The credit bureaus are in a privileged position. They are the kingpins of the data brokerage industry that collects data about virtually every human being in the U.S., continually updated with info supplied by banks, mortgage companies, and retailers. They face little regulation despite an abusive history because they spend a lot of lobbying money to make it so, and the government depends on them for data to determine eligibility for Social Security, Medicare, and Medicaid. Cory Doctorow recently summarized the history of the credit bureaus:
The credit-reporting industry has not been seriously scrutinized since 1976.
1976 was the year that Congress amended the Equal Credit Opportunity Act after hearing testimony about the abuses of the Retail Credit Company – a company that swiftly changed its name to “Equifax” to distance itself from the damning facts those hearings brought to light.
Retail Credit/Equifax invented credit reporting when it was founded in Atlanta in 1899. For more than half a century, it served as a free market Stasi to whom neighbors could quietly report each other for violating social norms.
Retail Credit’s permanent, secret files recorded who was suspected of being gay, a “race-mixer” or a political dissident so that banks and insurance companies could discriminate against them. (link)
This practice was only curbed when a coalition of white, straight conservative men discovered that they’d been misidentified as queers and commies and demanded action, whereupon Congress gave Americans limited rights to see and contest their secret files.
But these controls were never more than symbolic. Congress couldn’t truly blunt the power of these private-sector spooks, because the US government depends on them to determine eligibility for Social Security, Medicare and Medicaid.
It’s a public-private partnership from hell. Credit reporting bureaus collect data the government is not legally allowed to collect on its own, then sells that data to the government (Equifax makes $200m/year doing this). (link)
Each of the credit monitoring agencies has a separate division that packages your personal information and sells or licenses it to other companies for targeted advertising and marketing.
This is the crucial difference between Google and Apple , on the one hand, and the credit bureaus on the other hand. Google and Apple know a lot about you. Google in particular knows virtually every detail of your life, practically down to your daydreams and inner thoughts. Google and Apple don’t tell anyone else what they know. Advertisers tell Google what the characteristics are of the people they’re trying to reach; Google says, okay, we’ve got this, and Google shows you the ads – but it never tells the advertisers who you are.
The credit bureaus love telling everyone what they know about you, which is everything. The whole point of their business is to sell access to your profile. They scrape information from public records – drivers licenses, voter registration, property rolls, census and change of address records, birth certificates, marriage licenses, bankruptcy records. They combine that information with everything they can collect from social media sites or buy from private sources – bank card issuers and financial institutions, retailers, health care and insurance providers, whatever is available.
They sell those profiles to lenders and advertisers. Experian creates APIs that the lenders and marketers can use to hook into Experian’s data.
And apparently they do it really badly. Our plucky college sophomore found the leaky information on a lender’s website, a company that was paying Experian for access to your information.
It’s Experian’s fault. Here’s what one security expert said, along with a translation:
To prevent data leaks of this nature, companies must implement context-based, granular authorization in their APIs coupled with a Zero Trust approach to identity and access management. With these proactive security guardrails, companies can ensure users are properly authorized prior to accessing any sensitive information.
Translation:
Experian sucks at security.
I’m naïve and unsophisticated. I would think that a company whose business was to accumulate extensive personal data on everyone in the world would be kind of obsessed with security. Especially after one of the worst hacks in history at Equifax in 2017 spilled the personal details of hundreds of millions of people, damaging Equifax’s reputation, lowering the company’s financial rating, sending a couple of company officers to jail, and costing it billions of dollars in fines and cleanup costs.
Experian appears to have learned nothing.
Experian was breached and hackers got the details of 15 million T-Mobile customers in 2015.
Experian was hacked in 2020 and gave away the details of 24 million South Africans and nearly 800,000 businesses.
There was a massive data leak of personal data of 220 million Brazilian citizens and companies earlier this year by an Experian subsidiary.
It has been shown over and over that the much-vaunted Experian “credit freeze” can be undone by bad guys with little difficulty because Experian uses poor security and authentication procedures.
And two weeks ago college sophomore Bill discovered that Experian’s poor security exposed private data to anyone looking.
I know I said in the last article that your personal information is widely available and we need to get used to that. But that doesn’t mean that these companies are excused from bad behavior! There should be regulations to require them to keep your information secure, and legal consequences when they are discovered to be reckless.
For now, when Experian says it has experience handling data breaches, you can believe them. They know exactly what can be done with lobbying dollars to make sure they will not be regulated or sued.