Experian defends security protocols while investigations into its data security grow

It seems that Experian is trying to defend its data security following Jordan Robertson’s report on dozens of breaches involving compromised client logins.  Jordan’s report was based on dozens of breach reports compiled by DataLossDB.org and yours truly, who filed a complaint with the FTC about Experian’s breaches back in April.  Pat Dulnier reports on Experian’s defense, as does Robertson, who reports today that the Irish Data Protection Commissioner has opened a preliminary inquiry into Experian’s data protection.  Robertson reports:

Gerry Tschopp, a spokesman for Experian, declined to comment directly on the Irish inquiry. The breaches were “isolated security issues experienced by a small number of our clients in North America involving U.S. consumers under U.S. data-protection jurisdiction,” he said in an e-mailed statement.

“While it is the responsibility of clients to maintain and monitor the security of their own systems and credentials, we use sophisticated technology to detect anomalies that might indicate suspicious activity in systems access, which we immediately flag to the client and, when appropriate, to consumers and law enforcement,”  Tschopp wrote.

Why should cybercriminals even bother trying to attack Experian’s systems directly if they know how easy it is to trick a client into providing their login? And why doesn’t Experian, knowing that this problem has been increasing yearly, do something that would more effectively protect consumer data?

Experian may call this “isolated,” but I don’t consider 89 or more breaches involving client logins “isolated.” And that’s just one type of breach reported to a handful of states.  About 10% of their breach reports do not identify compromised client logins. In these other cases, Experian informs consumers that someone was able to authenticate as the consumer and access their credit report. Do they acknowledge responsibility for those breaches or do they also believe that it’s not their breach?

What may not have been clear from Robertson’s report is that I did not file any FTC complaint against Equifax or TransUnion. My complaint was only about Experian, who had nearly 90 breach reports that I had looked at. Since I filed the complaint, I’ve obtained additional breach reports raising the numbers even higher. So why is it that Experian has reported almost 100 breaches while its competitors have reported only a small fraction of that number? Can we account for the difference by the difference in their number of customers, or is at least some of the difference due to the other firms having better security in place? I don’t know the answer to that.

Dulnier reports:

“The crooks used basic credentials to get in,” Al Pascual, an industry analyst for security, risk and fraud at Javelin Strategy & Research, said, according to American Banker. “It would have been better to increase and strengthen the type of authentication required.”

Experian maintains that its security systems require more than just basic credentials, and while Tschopp did not give details regarding software or system structure, he said that the company uses a risk-based authentication system in addition to a tech network that detects system access anomalies by clients.

“We require and expect our clients to routinely and securely manage their authentication credentials to the highest standards and monitor the security of their systems,” Tschopp said, American Banker reports. “In the instances where credentials might be compromised, our security systems monitor 24/7 for any anomalies that could suggest suspicious activity. These are then flagged immediately to the client, and, as appropriate, to consumers and law enforcement for resolution.”

Well, that may sound good as a quote, but is it true?

As Jordan’s report notes, how  is it that the system didn’t detect the Abilene Telco Federal Credit Union anomalies sooner? Is it reasonable for Experian to argue that their system worked when over 800 consumers had their credit reports stolen on a day of the week that the credit union has never requested a report, from an IP address not associated with the credit union, and in a burst of requests from a low-frequency client?

Abilene wasn’t the only case of that kind. In December 2010, Experian notified states attorney general in at least five states that the login for the El Paso Police Department in Texas had been compromised and credit reports on almost 800 consumers had been accessed. How is that their system didn’t flag credit report requests from a Texas police department for people in North Carolina, New Jersey, Maine, New Hampshire, and Maryland sooner?

And speaking of quick detection: in July 2011, Experian notified NYS that Gotham Bank of New York‘s login had been compromised and credit reports on 358 consumers  had been acquired between June 27, 2010 and June 28, 2011, when they first discovered the breach. That same month, they also notified NYS that 202 consumers had their credit reports stolen when New Resource Bank‘s login was compromised. Why did it take one year in each case to detect the problem? But they aren’t even the worst cases. In another case, their system apparently didn’t flag or block requests from a client’s login (Crown Financial Group) and over 2,000 consumers had had their credit reports stolen during a one-week period in August 2011. The breach wasn’t even discovered until March 29, 2012.

Then there are the cases that do not seem to involve compromised client logins and where Experian’s ability to detect breaches may be even worse. Some examples:

• On January 17, 2011, Experian notified the NYS Attorney General’s Office that 268 consumers  had their credit reports accessed between September 24, 2008 and March 18, 2010. They report that they discovered the breach on November 5, 2010. Why over a year and a half to detect? And why so long to notify?
• On February 18, 2011, Experian notified NYS that 138 consumers  had their credit reports accessed between August 1, 2009 and October 25, 2010. They report they discovered the breach on January 21, 2011. Are you impressed? I’m not.
• Experian notified the New Hampshire Attorney General’s Office in April 2012 that consumer data may have been accessed during a one-week period in August 2011. Why did it take so long to detect and notify consumers? In May 2012, they notified the state that data of New Hampshire residents had been accessed between November 2010 and March 2012, and in yet another breach report filed with the state that same month, they reported other residents had their data improperly accessed between November 2011 and February 2012. That doesn’t sound like quick detection to me.

As I’ve always readily acknowledged, I am not a security expert. Consider me Suzie Q. Public who wants to know why her data aren’t being better protected by Experian. Dulnier reports:

Pascual said that enhanced protections, including device fingerprinting, which is used to determine if credentials are being used to fraudulently access a network, against unauthorized access could strengthen data protection.

“If they are using device fingerprinting to make sure that the machines that are accessing the consumer records are bank machines, that will strengthen the protocol,” Pascual said, according to American Banker.

I don’t know what the solution is, but if Experian thinks it’s doing just fine on data protection, then I’m concerned.  The guardian of so much data that is an ID thief’s wet dream should not be patting themselves on the back when they have failed to prevent repeated problems.   Robertson was unable to get Experian to state how many breaches they’ve had:

Experian has declined to offer specifics about the total number of breaches it has suffered.

Hopefully, Congress and/or the FTC will get us some answers and take steps to protect our data.