DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Experian ProtectMyID didn’t protect him from ID theft – Target customer

Posted on January 31, 2015 by Dissent

As this blogger and Brian Krebs have both pointed out on a number of occasions, Experian’s ProtectMyID may only monitor Experian’s own credit reports and not those of Equifax, TransUnion, or Innovis.  Now one consumer seems to have learned that lesson the hard way.

Consider the offer Target made to its customers following their massive breach (emphasis added by me):

This ProtectMyID package includes the necessary tools guests need for credit monitoring and identity theft protection. It does not include Experian credit score or reports from Equifax and TransUnion. When visiting the enrollment site, guests will have the option to purchase these additional products at their own expense if they choose, but are not required to purchase a credit score to receive the benefits of credit monitoring and identity theft protection.

Although Target stated that consumers wouldn’t get Equifax and TransUnion “reports,”  did the consumers really read and understand what “reports” meant in that sentence? Did they think those reports were just credit scores or did they realize it meant those credit reports wouldn’t be monitored?

If consumers didn’t read carefully, and then only read Experian’s bulleted list of features in the sign-up for the activation code, they might not realize what they weren’t getting (screen cap credit: Brian Krebs):

target-exp

To be clear: if consumers purchase ProtectMyID directly from Experian, they  get “Daily monitoring of your Experian, Equifax®, and TransUnion® Credit Reports with email alert notifications when key changes occur,” but that’s not the same “ProtectMyID” service  a company may arrange for following a breach, even though the name is the same.

A spokesperson from Experian confirmed to DataBreaches.net that they offer a 1-Bureau Experian monitoring product and a 3-Bureau monitoring product to data breach clients. And they confirmed that Target had purchased the 1-Bureau Experian monitoring product.

Yesterday, Pam Zekman of CBS reported on how one consumer who signed up for ProtectMyID after the Target breach was stunned to become an ID theft victim:

Identity thieves charged $1,400 at one department store and $6,000 more on two credit cards they opened in Walters name.

Walters says he got no alerts from ProtectMyID.

“They said we don’t see anything. And I was just flabbergasted. I was like, ‘What do you mean you don’t see anything. How could you not see anything? There’s two accounts open. There’s charges on them, and you see nothing?’”

The service didn’t see anything, apparently, because the free protection package Target paid for only monitored credit bureau reports from one company: Experian, the company that operates ProtectMyID.

“That is the biggest hole in this net,” says William Kresse of Governors State University, an anti-fraud authority. “Some of these credit protection services only use one of the three credit reporting services.”

[…]

Experian says it takes consumer concerns very seriously and there was no sign of an error in the Walters case.

Yes, we’re supposed to read terms and conditions and understand what we’re getting  – or not getting – when we sign up for a service. But should breached entities be offering a 1-bureau credit monitoring service instead of a service that monitors the “Big Three?” I don’t think so.  I don’t know what, if anything, the FTC can do about this, but if consumers wind up with a false sense of security following a breach because the breached entity has offered a 1-bureau product while claiming it’s giving consumers the necessary tools to protect themselves, then is that an unfair or deceptive practice?

The bottom line is this: consumers need to become more savvy and not accept offers of products that do not give them good protection – but  companies should not be offering products that do not serve breach victims well. When a consumer files a fraud alert with one credit reporting company, that company is required to notify the other two. And that serves the consumer well. But should credit monitoring products be able to claim they offer good protection against ID theft if they only monitor one of big credit reporting firms?  And should companies be allowed to offer such incomplete services to breach victims? There’s no law requiring companies to offer credit monitoring services, but maybe we need some provision that if they do offer it, it needs to meet a certain standard.

Paging the FTC to Aisle 4….

Category: Commentaries and AnalysesID TheftOf Note

Post navigation

← Ex-employee booked with stealing identities of Kenner retirement home residents
Fire at a Brooklyn Warehouse Puts Private Lives on Display →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.