Jordan Robertson of Bloomberg reports:
The three big U.S. credit-reporting agencies have agreed to be more helpful. Errors in your credit history will now be easier to correct and delinquent medical bills will take longer to hurt your credit score. An agreement announced Monday between New York Attorney General Eric Schneiderman and Experian, Equifax, and TransUnion will limit the damage caused by inaccurate credit reports, which can sabotage home and car purchases, jack up interest rates, and sometimes cost people their jobs.
But one thing was missing from the list of reforms. The credit agencies have long been prime targets for hackers, and the agreement made no mention of improvements to cyber-security practices.
As Robertson reports, the type of Experian breaches this blogger has reported on numerous times – where client login credentials are compromised and used to access Experian’s database – have continued. Since Bloomberg News reported on the problem in 2012, there have been additional breaches, and I now have 109 of Experian’s own reports to state attorneys general describing such breaches of their credit reporting database. That number is likely an underestimate, as not all states requiring reporting to the state attorney general, and not all states make reports available under public records law.
As Robertson notes, this activist “has been pushing the Federal Trade Commission to tighten the industry’s security practices.” I filed a formal FTC complaint as an advocate in April 2012, but have seen no public action by the FTC in response.
Is Experian too big for the FTC to hold accountable for data security? Why haven’t we seen any consent order or administrative law proceeding?
In response to Robertson’s questions:
Experian spokesman Gerry Tschopp said the company uses a sophisticated computer system to detect anomalies. “Data security and protection are a top priority, and we constantly invest in and evolve our systems to protect the integrity of our systems, our data and our platforms,” he wrote in an e-mail. TransUnion’s Clifton O’Neal said the company regularly reviews and tests its own internal security processes and controls. “However,” he added, “to maintain the integrity of our security procedures, specific details and efforts regarding those procedures cannot be disclosed.” And Equifax spokesman Tim Klein said: “The security and integrity of our data is of the utmost importance to us. Updating, enhancing the protections, ensuring they are as strong as possible, is an ongoing process for us and our data security team.”
Neither TransUnion nor Equifax have reported anywhere near the number of breaches due to compromised client login credentials that Experian has reported. And as both Brian Krebs and I have commented, when Experian’s database is breached by client login misuse, Experian offers consumers its own credit monitoring product. How convenient (and cost-saving) for them.
Robertson concludes:
Anything to make cleaning up identity theft easier is a good thing. At the same time, more transparency from the custodians of our most private information about how they safeguard to prevent attacks would be good, too.
To which I’d add: and more actual data security enforcement by the FTC would go a long way to getting the word out. That they have aggressively pursued LabMD while not taking action against Experian is just…. disturbing.