Experian Customers Unsafe as Hackers Steal Credit Report Data

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://go.bloomberg.com/tech-blog/2012-10-29-experian-customers-unsafe-as-hackers-steal-credit-report-data/


When hackers broke into computers at Abilene Telco Federal Credit
Union last year, they gained access to sensitive financial information
on people from far beyond the bank’s home in west-central Texas.

The cyberthieves broke into an employee’s computer in September 2011
and stole the password for the bank’s online account with Experian
Plc, the credit reporting agency with data on more than 740 million
consumers. The intruders then downloaded credit reports on 847 people,
said Dana Pardee, a branch manager at the bank. They took Social
Security numbers, birthdates and detailed financial data on people
across the country who had never done business with Abilene Telco,
which has two locations and serves a city of 117,000.

The incident is one of 86 data breaches since 2006 that expose flaws
in the way credit-reporting agencies protect their databases. Instead
of directly targeting Experian, Equifax Inc. and TransUnion Corp.,
hackers are attacking affiliated businesses, such as banks, auto
dealers and even a police department that rely on reporting agencies
for background credit checks.

“This is profoundly important, because it illustrates a growing
problem when it comes to data breaches and security –the chain is only
as strong as its weakest link,” Senator Richard Blumenthal of
Connecticut, a former attorney general who has investigated
credit-rating agencies before, said in an interview. “If their
customers have inadequate security practices, so do the credit
bureaus.”

Six States

This approach has netted more than 17,000 credit reports taken from
the agencies since 2006, according to Bloomberg.com’s examination of
hundreds of pages of breach notification letters sent to victims. The
incidents were outlined in correspondence from the credit bureaus to
victims in six states — Maine, Maryland, New Hampshire, New Jersey,
North Carolina and Vermont. The letters were discovered mostly through
public-records requests by a privacy advocate who goes by the online
pseudonym Dissent Doe and who asked not to be identified to preserve
the separation between profession and advocacy.

Experian, based in Dublin, and Chicago-based TransUnion said in
statements that the breaches began with infections of customers’
computers, an area over which they have little control. The credit
bureaus said that their databases weren’t breached directly.

Tim Klein, a spokesman for Atlanta-based Equifax, and Clifton O’Neal,
a spokesman for TransUnion, declined to comment on specific cases.
Neither would provide details about any breaches they’ve had involving
the compromised log-ins of clients.

Protect Consumers

“We continue to invest in the security systems we have in place to
protect our clients and consumers,” Gerry Tschopp, a spokesman for
Experian, said in an e-mailed statement. “Of course, the first line of
defense lies with end users who are obligated to manage and protect
their credentials, which in all these instances were compromised
through malware that infected their hardware and other illegal means.”

Representatives of Abilene Telco said no bank employees were involved
in the data breaches.

“We don’t know what happened and we don’t know how it happened — we
just know we didn’t do it,” said Pardee, the branch manager at Abilene
Telco, now renamed First Priority Credit Union, recalls telling
victims who called the bank after discovering that someone had viewed
their credit reports.

Experian’s database was breached 80 times for a total of almost 15,500
credit reports, Equifax’s was breached four times for more than 1,200
reports, and TransUnion’s was breached two times for almost 500
reports, according to the DataLossDB.org website, where Dissent Doe
and other advocates have posted the documents. All of the incidents
involved hackers stealing online log-in credentials from the credit
bureaus’ customers.

Congress Investigation

The incidents shed new light on security weaknesses at credit bureaus
at a time they are under investigation by both houses of Congress over
how much data they collect and how it’s used. While security hasn’t
been a focus of the probes, the breaches are cause for further
investigation, Blumenthal said.

Dissent Doe has filed a complaint with the Federal Trade Commission,
arguing for a formal investigation into Experian’s security practices
and urging lawmakers to enact legislation that creates a national
database of breach reports.

The FTC declined to comment specifically on the incidents. The agency
has punished data brokers when hacking attacks on their customers led
to the theft of credit reports. Last year, the FTC sued three
credit-report resellers when compromised client log-ins resulted in
more than 1,800 stolen reports. The agency also filed a lawsuit in
2008 against a mortgage lender after at least 400 credit reports were
stolen.

Failure to Check

The commission faulted the companies for failing to check whether
their customers had sufficient security and for not adequately
monitoring suspicious behavior coming from them. The cases were
settled, with the companies agreeing to 20 years of security audits.

“If you are providing access through an online portal, it’s your
responsibility to secure that portal,” Maneesha Mithal, associate
director of the FTC’s division of privacy and identity, said in an
interview.

Credit reports are highly coveted in an identity theft industry that
the U.S. Department of Justice estimates affected more than 8.6
million people and cost U.S. households $13.3 billion in direct
financial losses in 2010.

FTC Crackdown

When criminals steal a credit report, they get enough information to
take out new credit cards, qualify for loans, get a driver’s license
and even obtain medical treatment, according toChris Jay Hoofnagle,
director of information privacy programs for the Berkeley Center for
Law & Technology.

“One basic problem is that unsophisticated companies tend to treat
their own customers as insiders, and not treat them with the type of
skepticism and controls aimed at outsiders (hackers),” he wrote in an
e-mail. “Of course, the insider risk is a massive problem.”

A crackdown by the FTC almost a decade ago led to stronger security
measures among information brokers, including credit bureaus,
according to Jay Foley, a partner with the consulting firm ID Theft
Info Source, who has followed the industry since 1999. Those efforts,
though, have focused mostly on preventing the data providers from
being tricked into giving criminals accounts that give them access to
credit reports, Foley said.

A series of breaches at ChoicePoint and Seisint, data brokers that
were bought by LexisNexis parent Reed Elsevier Plc, led to landmark
settlements that served as a warning to the industry. The newly
disclosed breaches show that credit bureaus haven’t invested enough in
fraud-detection technology to spot odd behavior coming from customers,
Foley said.

The company has since improved its security with a number of measures
including audits and additional fraud-detection technologies, Stephen
Brown, a spokesman for Reed Elsevier’s LexisNexis division, said in a
statement.

“The industry has cleaned up its act, but the act it was cleaning up
was who they were allowing to have credentials,” Foley said in an
interview. So instead, criminals are going through the third parties
that have already gotten approval, he said.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.