Supply chain weaknesses cause trouble for Experian
Experian could be investigated by the US regulator, the FTC, after becoming the latest credit check agency to fall victim to a cyber attack.
Over the last six years, hackers have been hacking at credit check firms, and in 86 successful attacks have managed to obtain over 17,000 credit reports by finding weak security within connected institutions, from financial bodies to a police department, according to public records requests from a privacy advocate known as Dissent Doe.
Dublin-based Experian is one of the latest, and Dissent Doe has asked the Federal Trade Commission (FTC) to look into it.
Experian checks pilfered
The Experian breach happened last year, hackers compromised an employee system at Abilene Telco Federal Credit Union, and took the bank’s password for its Experian account. They used that access to steal credit reports on 847 people, but also managed to steal a host of data, including financial information and social security numbers, on other people across the US.
The news agency claimed Experian had its database breached 80 times in this single breach, with almost 15,500 credit reports pilfered.
Dissent Doe has now filed a complaint with the Federal Trade Commission, asking it to investigate Experian’s security practices. The FTC has not yet commented on the case.
Yet whilst malware may have been resident on the bank’s machines, Experian infrastructure itself was never infected, TechWeekEurope understands. This publication also understands Experian was the first to notice the attempt on the US bank, notifying it and advising it to take action.
“We continue to invest in the security systems we have in place to protect our clients and consumers,” said a spokesman for Experian.
“Of course, the first line of defence lies with end users who are obligated to manage and protect their credentials, which in all these instances were compromised through malware that infected their hardware and other illegal means.”
A spokesperson told TechWeekEurope: “In the case relating to Abilene Telco, our security system quickly alerted them and subsequently the 702 consumers to the suspicious activity and ensured that the unauthorised access was disabled.
“As our action shows, our first priority – regardless of the source – is to always protect our clients and consumers from identity theft and our policy is to proactively notify consumers who may have been the victims of criminals trying to illegally obtain consumer information.”
Experian may not be able to palm off all responsibility, however. “I would argue that given the nature and sensitivity of the information being held by the credit reporting agencies, and the potential harm it could have on the affected individuals, these credit bureaus should not rely solely on their customers’ security to protect that data,” said Brian Honan, security consultant and head of Ireland’s Computer Security Incident Response Team.
“Being an Irish head-quartered company, Experian would come under the Irish Data Protection Act and is responsible for ensuring that adequate steps are taken to secure the personal data it holds. If those measures are not deemed to be good enough, Experian could come under investigation by the Irish DPC.”
Earlier this month, Experian warned of the rise in illegal data trade. Its research found almost 20 million pieces of personal data were illegally traded in the first six months of 2012.
Are you a security expert? Try our quiz!