Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/24/2013
12:18 PM
50%
50%

Experian Breach Fallout: ID Theft Nightmares Continue

Data brokers amassing gigantic data stores of people's valuable personal information are too big to not fail. Why are consumers getting stuck with the mess?

Will Experian take these next steps -- sending notifications to affected consumers and providing free, third-party ID theft monitoring -- and if so, in what timeframe? I emailed those questions to a company spokesman Thursday, but haven't heard back yet (and will update this story when I do).

Regardless of how Experian responds, here are a few takeaways for consumers who want to avoid, through no fault of their own, becoming ID theft victims: "Maybe you can make your readers aware of the importance of maintaining online accounts for credit cards, even just so no one else steps in," said Ann. "In addition, I found my 'new' address and phone in online searches for myself at phone listing companies, which obviously cull the credit bureau websites."

Since consumers now have the right to see one credit report per year from each of the three big credit reporting firms -- Equifax, Experian (them again) and TransUnion -- one useful technique is to order one report from a different bureau every four months.

While the suspect in his case, Ngo, is brought to justice, what of Experian's role here? As Ashkan Soltani, an independent privacy and security researcher who formerly worked with the Federal Trade Commission, said about the Court Ventures debacle, it's yet "another example of how data brokers expose consumers to unnecessary risk."

On that front, FTC chairwoman Edith Ramirez has called on Congress to give the agency more power to ensure that data brokers' buying and selling of people's personal information doesn't infringe on consumers' interests. "The time has come for businesses to move their data collection and use practices out of the shadows and into the sunlight," Ramirez said in a keynote speech at the Technology Policy Institute's Aspen Forum in August. "In other words, with big data comes big responsibility. Firms that acquire and maintain large sets of consumer data must be responsible stewards of that information."

Perhaps the information sold by Court Ventures to the alleged Vietnamese ID-theft-as-a-service providers will include copious amounts of personal information on members of Congress, as well as their staff. Of course, that will be bad luck for them. But as they -- like Ann -- invest their own time, energy and money into attempting to clean up the resulting mess, maybe it will drive Congress to empower the FTC to hold data brokers accountable as they amass ever-increasing amounts of our personal data.

In the meantime, keep a close eye on your credit reports, bank statements and credit card statements.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Railroader
50%
50%
Railroader,
User Rank: Apprentice
11/3/2013 | 8:28:15 PM
re: Experian Breach Fallout: ID Theft Nightmares Continue
I Believe this Data collecting violates my constitutional rights and should be stopped immediately, I have not given these thugs my expressed written permission to collect any information, public or private, about me, or to sell same, and should be considered illegal.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/28/2013 | 3:22:59 PM
re: Experian Breach Fallout: ID Theft Nightmares Continue
Thanks for all of this. Another notable effort on this front is being helmed by Sen. Jay Rockefeller (D-WV), who chairs the Senate's Committee on Commerce, Science, and Transportation. He's written a letter to Experian, cited by security reporter Brian Krebs, demanding more information about the data breach.

Last year, the committee launched an investigation into the business practices of nine data brokers, including Experian, although the data broker has reportedly declined to answer all of the committee's related questions. Last month, Rockefeller widened the probe to include the data-sharing practices of 12 websites.
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/28/2013 | 2:49:53 PM
re: Experian Breach Fallout: ID Theft Nightmares Continue
Odd, I thought their core business was selling personal information and rating recommendations (ideally to the banks that provide it in the first place). Now with many major retailers finding that managing their own credit system is lucrative, they are buying credit reports on prospective customers as well. I've never seen anything to indicate they have more than a passing interest about the individual. Ideally, they would care who they sell to but investigating a paying customer and taking away from your own revenue is kind of hard to believe.
BGREENE292
50%
50%
BGREENE292,
User Rank: Apprentice
10/26/2013 | 12:28:41 AM
re: Experian Breach Fallout: ID Theft Nightmares Continue

Matthew, thank you for helping readers understand the tortuous chains of corporate responsibility involved in management of personal financial data. Experian has been a problem of late, as your article details at length.



As with Experian-- which claimed the security breach (somehow) was beyond its control after acquiring Court Ventures because Court Ventures was already (allegedly) compromised-- denial seems the first corporate reflex.

But if managing securely all data access by third parties to bank and fund accounts is not fundamentally a fiduciary responsibility, what could else could it be? Denial of responsibility seems the least acceptable response of those whose job was, and is, to manage data security for depositors' assets in trust. In this age of digital commerce, data security, itself, is a primary client asset.



Aside from a federal regulatory review of such issues, it now appears only sweeping and thorough legislation can address the endemic problems of data security. Readers can contact Sen. Elizabeth Warren, a strong consumer financial rights advocate, at http://www.warren.senate.gov/ or the federal Consumer Financial Protection Bureau, director Richard Cordray, at http://www.consumerfinance.gov...
TerryB
50%
50%
TerryB,
User Rank: Ninja
10/25/2013 | 5:08:51 PM
re: Experian Breach Fallout: ID Theft Nightmares Continue
Strike two against Experian. Those clowns were just on 60 Minutes in last year because they can't even get their core business correct, removing bad credit information from their database even after the person shows them it was incorrect. The takeaway from 60 Minutes report was they don't care, doesn't impact their bottom line.
Tom Murphy
50%
50%
Tom Murphy,
User Rank: Apprentice
10/25/2013 | 4:51:55 PM
re: Experian Breach Fallout: ID Theft Nightmares Continue
Good story, Matthew. I think this all reflects how technology has outpaced society's ability to cope with new issues like abuse of PII. We've always had PII and we've always had people who abused that info for illegal personal gain -- crooks. There have always been companies that compile personal information -- an industry that goes back a century, at least. What is new is the speed with which that information can be shared and resold -- quite legally -- and the abused illegally. And the problem will get much worse very quickly, as big-data-skimming analytics tools piece together such things as your mother's maiden name, your pet's name, your hometown, and childhood friends from social media, where billions of people generously post such information daily.
What to do? A) End the current weak methods of online payments and replace them with biometric systems that confirm the ID of the buyer; B) Require credit montoring companies to red-flag changes in contact information to the individual involved; C) Create a universal registry to help victimized consumers identify and quickly correct fraudulent entries in ALL their credit accounts simultaneously.
The failures of the current system should not fall on the shoulders of the victims, who are usually technically ill-equipped to combat the technologically sophisticated crooks who are victimizing them.
Other ideas?
archangelnikk
50%
50%
archangelnikk,
User Rank: Apprentice
10/25/2013 | 2:26:29 PM
re: Experian Breach Fallout: ID Theft Nightmares Continue
Really shows the bad guys will stop at nothing to acquire consumer information, and as well the lack of controls big business has protecting that data...
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...