If you still live under the assumption that the credit reporting agencies have consumers’ best interests in mind about whom they hold tons of valuable personal information, you are in for a rude awakening. A recent security blunder involving easy access to consumer credit reports shows how screwed up things at Experian have become. And what makes the situation even more appalling is that this is far from the first time that Experian and other credit bureaus have made mistakes that expose data and set up regular people for identity theft and fraud.
Background
The most recent issue showcasing the ongoing holes in Experian’s attempt to safeguard personal information involves access to consumer credit reports. Experian is one of the three major credit reporting bureaus, with Equifax and Transunion being the other two. These bureaus gather and hold the credit information and sell this data to various lenders and credit-scoring businesses. This critical data is the lifeblood of success and stability for many Americans. The fact that the bureaus essentially bargain and tender all of our credit information to the highest bidder sets the scene for where this story is headed. That in and of itself is another glaring problem with credit reporting as it currently stands and warrants its own post in due time, but on to the story at hand.
Near the end of 2022, some effective sleuthing by independent cybersecurity professional Jenya Kushir led to a discovery of a method which identity thieves had been using to easily access credit reports to use for potential fraud. When people want to access their credit report through Experian, the company bounces the inquiring individual to annualcreditreport.com, which is set up to give every citizen free access to their own credit reports once a year.
To view the report, a person needs to enter their name, address, social security number, and date of birth. After entering this personal information, consumers are directed to Experian’s portal and given prompts for a series of multiple-choice questions to confirm further the identity of the individual requesting the credit report.
And here is where the flaw arises. By simply changing the end of the URL on this question page to a different set of slashes and letters, you can get access to the full credit report. Those additional questions intended to safeguard credit report information are easily bypassed if identity thieves have access to the few pieces of necessary personal information and the correct change of URL that is widely circulating within various online networks that these thieves utilize.
The Aftermath
News of this security flaw went public in December, and Experian seemed to fix the issue shortly after. But there’s no telling how long the simple URL change trick worked or how many credit reports were wrongly displayed because of it. It’s still likely too early to say how widespread of a problem this was, and anyone whose information was unknowingly accessed might not immediately fall victim to fraud. But it’s another slap in the face by Experian to its customers and the public, and the company has not displayed much remorse or explanation for what happened.
If you have reason to believe that your credit report was accessed without your inquiry or have fallen victim to identity theft recently, it could be because of this Experian blunder. Unfortunately, there’s no way to precisely tell for sure how thieves get access to your personal information. And since some personal information was needed to exploit this loophole, anyone with recent data exposure via other security breaches might have had their credit report viewed by potential fraudsters.
Ideally, someone will hold Experian accountable for this glaring security error, as it marks an ongoing pattern of lax security with consumer personal information. There has been a push by some Senators and other regulators to enact measures that do a far better job of holding credit bureaus and similar organizations more responsible for their mistakes and lack of accountability. We’d all be better off if such a change materialized. For now, it seems likely that this example is just another in a long line of problems that Experian has caused over the years.
Experian’s Ongoing Issues
It’s not the first time that Experian has made headlines at the consumer’s expense. The company has seen a number of problems and plunders that are alarming from a security perspective. It makes one wonder how the company still has a such a hold on information that is so important to the financial well-being of Americans.
In July 2022, Experian came under fire for a series of hacks involving identity thieves accessing credit reports by signing up for new accounts (using stolen personal information) with a new email. Experian didn’t have any safeguards in place to prevent this easy loophole being exploited by threat actors. To make matters worse, the company instructed affected individuals to change their emails to get a new account to fix the issue – the very same tactic that identity thieves just exploited.
Another widespread hack and data breach hit Experian in 2015. This compromised the personal information of around 15 million people and was linked to customers with T-Mobile cellphone accounts. And in 2014, another cyberattack on Experian compromised 200 million social security numbers.
Data breaches and cyber incidents aside, Experian also boasts a track record of less-than-ideal business practices. Customers were livid back in 2011 when they felt tricked into signing up for Experian’s offer of free credit reports, only to discover that this also enrolled them in a monthly subscription service that is difficult to cancel.
Final Thoughts
Despite this evident incompetence by Experian, the credit bureau is still intricately involved with daily life. Understanding that the reporting agencies don’t necessarily have your best interest at heart is a critical step toward taking security efforts into your own hands. Knowing what’s on your credit report can help you spot any discrepancies or fraud indicators quickly and help is available to assist you along those lines.
Taking an active and involved position with your credit and personal information can better position you when problems like the Experian blunder mentioned here arise. And until steps are made to improve and change how credit reporting agencies operate and safeguard data, problems will continue to appear.
LibertyID provides expert, full-service, fully managed identity theft restoration to individuals, couples, extended families* and businesses. LibertyID has a 100% success rate in resolving all forms of identity fraud on behalf of our subscribers.
*LibertyID defines an extended family as: you, your spouse/partner, your parents and parents-in-law, and your children under the age of 25.