It was only last week that Experian released a white paper on what it sees as data breach risks for 2017. Perhaps ironically, then, it was only days later when a dark web vendor claimed to have Experian’s database for sale. HackRead reported on “DoubleFlag’s” listing:
The hacker claims he has access to the Experian database which contains information of some 203,419,083 accounts and has set the price for this database at Bitcoin 0.8082 (USD 600.00).
The database as per his claim includes customer’s full name, address, apartment number, city, state, zip code, gender details, telephone numbers, date of birth, marital status, delivery point barcode, Fips state code, Fips county code, Single Family Dwelling, Apartment with unit designator, Rural Route, Community Reinvestment Act (CRA) income classification code, income details, credit rating details, mail delivery records, Assimilation code, details about customer’s ethnicity, religion, language and other personal and financial information of Experian customers.
Waqas was clear to report this only as a claim and he stated that the database had not been confirmed as an Experian database. DataBreaches.net reached out to Experian for either a confirmation or refutation of Doubleflag’s claim. Today, a spokesperson for Experian sent the following statement:
“We’ve seen this unfounded allegation and similar rumors before. We investigated it again – and see no signs that we’ve been compromised based on our research and the type of data involved. Based on our investigations and the lack of credible evidence, we consider this an unsubstantiated claim intended to inflate the value of the data that they are trying to sell – a common practice by hackers selling illegal data.”
The reference to seeing this “before” likely refers to another database that was being offered earlier this year that was supposedly another Experian database linked to the T-Mobile hack. That database, while appearing to contain what might be legitimate demographic information, did not come from Experian, the company had stated.
Experian’s denial that the data are theirs may explain Doubleflag’s reported unwillingness to answer any of Waqas’s questions as to when and where the data were stolen from Experian.
If Doubleflag would like to provide more details about the alleged hack and some actual proof to support his claim that the data came from Experian, he is welcome to contact DataBreaches.net on Jabber at [email protected].
The credit reporting agencies have always touted that “it’s not their data”, which is why they’re not responsible for what they report or for ensuring its accuracy and places the burden of proof on the consumer. Why would they now say it’s their data?
There’s a difference between claiming they are not responsible for the accuracy of data they collect from other sources and claiming that data did not come from a database on their server or system.