DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

What will Congress do now that it knows about numerous breaches involving Experian? And what will the FTC do?

Posted on October 29, 2012 by Dissent

Jordan Robertson of Bloomberg News provides media attention to a problem I’ve noted previously on this blog – that Experian suffers a lot of data breaches* where a client’s login is compromised and misused by unauthorized individuals.  His coverage will hopefully inform national conversations about transparency, consumer protection, and breach notification.

First is the issue of transparency. We know that there have been at least 90 Experian data breaches since the beginning of 2006, the vast majority of which involve compromised client logins.  I say “at least” because  we do not know how many there have really been.  It’s only a minority of states that have a central repository of breach reports and even fewer that make those reports readily available on a public web site.  Much of what we know about Experian’s breaches we know only because volunteers at DataLossDB.org – this blogger included – file for reports under Freedom of Information laws.  Experian’s breaches would likely have continued to evade public or Congressional scrutiny because there is no national central repository of breach reports available to the public and Congress. We need to remedy that.

In April of this year, after reading what Experian had reported to the North Carolina Attorney General’s Office about their security and post-breach remedies, I decided to take a closer look at everything we had compiled for Experian on DataLossDB.org,  What I found concerned me as a consumer, and I filed a complaint with the FTC in my individual capacity. In that complaint, I  asked the FTC to consider whether Experian’s practices constituted unfair practice under the FTC Act.  As is its policy, the FTC never publicly announces whether it is investigating or pursuing a complaint. I suspect they will pursue my complaint, though, and that I won’t be getting any Christmas card from Experian this year. I can live with that. But it was time to put this problem under a strong spotlight.

I should point out that my  complaint was filed months before the House Bipartisan Privacy Caucus sent letters to Experian and others asking about their privacy and security practices. The caucus was not aware of my complaint when they sent their inquiries.  I would like to see Experian’s responses to the data security questions in their letter, but neither Rep. Markey nor Rep. Barton have made the response letter available to the public yet.  What will the Bipartisan Privacy Caucus do now?  And what will the Senate do? Senator Blumenthal told Jordan Robertson that this report is cause for further investigation. I hope he follows up. As Attorney General of Connecticut, Senator Blumenthal was a genuine advocate for his state’s residents when it came to privacy and data security. I hope he becomes the same positive force for change in the Senate.

And while Congress follows up on Jordan’s reporting, I hope some states attorney general also open their own investigations to determine if their residents are being adequately protected from breaches involving data-rich credit reports.

Not only is it time for Congress to enact legislation that creates a national repository of data breach notices that is available to the public on the Internet, but it’s time for Congress to enact legislation that requires more detailed disclosures in breach notices and sets a federal floor for breach notification that is at least as strong as the strongest state laws for breach notification.  And some might argue that it’s time for Congress to enact data security standards that incorporate statutory penalties as an incentive for entities to do a better job of protecting consumers’ data. We do not choose to have our data in many of these databases and we are generally given no way to opt out. As consumers, we are at the mercy of their data security. And we need more protection.

The Experian report can be – and should be – be a wake-up call for Congress.

Thanks to Jordan Robertson and Bloomberg News for taking this to a national level.

—

* I realize that Experian claims that these are not their breaches but their clients’ breaches for failure to adequately protect their login credentials.  As a non-lawyer, I reject their position, and agree with the statement made to Jordan by Maneesha Mithal, associate director of the FTC’s division of privacy and identity.  It’s their database, their portal, and their rules for access.  If they have somehow made it too easy for unauthorized individuals to authenticate and access their database, I think that’s on them. Others may disagree.

 

Category: Business SectorCommentaries and AnalysesOf Note

Post navigation

← Experian Customers Unsafe as Hackers Steal Credit Report Data
What sense can we make of some statistics? →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.