It has now been about two years since I filed a complaint with the FTC to alert them to all the data security breaches involving Experian’s credit report database.
And while I continue to wait to see the FTC take action against Experian over their numerous breaches involving misuse of clients’ login credentials, Experian has reported yet another breach of the same type, it seems.
This time it’s reportedly the Colorado Bureau of Investigation whose login credentials were compromised. The fact that the CBI had their login credentials compromised does not inspire confidence in them, but the fact of the matter is that it doesn’t seem to matter what clients have their login credentials compromised. Login credentials of a client seem to be the keys to the kingdom of Experian’s vast credit report database.
The letter to those affected, dated February 14, indicates that the unauthorized access to the consumers’ credit report(s) in Experian’s database occurred between January 30 and January 31, and would have involved name and address as well as one or more of date of birth, Social Security numbers, account information, and whatever information you’d find in a credit report.
As it has done in the past, Experian offers the affected consumer(s) two years of free credit monitoring services using Experian’s own service – which only provides daily checks of Experian’s own database of credit reports and does not also check Equifax and TransUnion for signs of suspicious activity.
So after failing to adequately protect its database from those who access or phish their clients’ login credentials, Experian offers consumers who are powerless to prevent the breach Experian’s own product for free and tries to up-sell it at the end of the complimentary service period?
C’mon, FTC, if you’re serious about protecting consumers from harm, then do something about Experian’s inadequate data security. About 100 breaches already that we know about – and how many more that we don’t know about because most states do not have a central repository of breach reports?
Do something already. Seriously.
Update: In addition to the notification to Vermont residents cited above, this brach was also reported to the New Hampshire Attorney General’s office and two NH residents.
Update 2: It was also reported to five Maryland residents.