Oh, look. Yet another Experian breach.
On November 3, Experian notified the New Hampshire Attorney General’s Office that Merchants Capital Access‘s login credentials to Experian’s credit-reporting database had been misused by an unknown party. Two New Hampshire residents were notified of the breach that occurred between October 20 and October 21. The total number affected was not disclosed.
In response to the breach, Experian took corrective action that may have included reissuing the userid for Merchants’ access, imposing other access restrictions, and “updated security measures.” They do not indicate whether those updated measures were for Merchants’ system or theirs.
As it has done in way-too-many other breaches of this kind, Experian offered those affected two years of free credit monitoring with Experian’s own product: ProtectMyID Elite.
In April 2012, the FTC was informed of Experian’s numerous breaches and asked to investigate and take enforcement action to protect consumers from the harm that a breach of their database can cause. By my tally, there have been 107 breaches involving misuse of client login credentials PLUS numerous other breaches where criminals were able to authenticate as individuals and access their credit reports.
To date, I have seen no closing letter and no enforcement action by the FTC.
If FTC is serious about data security, why are they letting these repeated breaches continue without government action?