Self-Fulfilling Prophecy: Experian Data Breach #99

Jennifer A. Kurtz, MBA

When Experian talks, people should listen. Its 2014 Data Breach Industry Forecast advises: "All signs are pointing to 2014 being a critical year for companies to better prepare to respond to security incidents and data breaches." And Experian is well-versed in data breaches—and not just those for which it performs credit-monitoring services. In its 99th data breach since 2008, Experian sold access to a database of social security numbers belonging to some 200 million Americans (or 63% of the US population in 2012) through its subsidiary Court Ventures to Hieu Ming Ngo. Ngo, a Court Ventures client now awaiting trial in New Hampshire for running an underground identity website, leveraged the Experian subsidiary's information-sharing arrangement with U. S. Info Search to make 3.1 million queries over an 18-month period against the database and banked at least $1.9 million in fees for providing information to his clients.

The number of records Ngo actually obtained is difficult to ascertain, in part because he was able to obtain multiple records by using the convenient credit header (name and state) data service offered through Court Ventures. A single query would thus return multiple records: all individuals in a state with a specific last name. Experian has thus far denied responsibility and the need to notify individuals whose information may have been compromised. Meanwhile, Experian received Ngo's payment for access to Court Ventures information assets via wire transfers from a bank in Singapore (apparently not a red flag for those monitoring data access transactions). In claiming ignorance, Experian would also seem to tacitly confirm that it failed to perform due diligence during its $18 million acquisition of Court Ventures. Such an acquisition, only .12% of Experian's 2013 revenues of $4.7 billion, perhaps was not significant enough to merit deeper investigation. In a fine example of "no honor among thieves" the two not-so-independent companies have filed a suit and counter-suit in California's Orange County Court.

Where does that leave the million of individuals who have now agreed to let Experian monitor their credit reports as part of a "mitigation" effort after data breaches like those experienced recently by University of Maryland, the State of South Carolina, and Target? (Kudos, by the way, to those who procrastinated and missed the April 23 deadline to register for Target's five years of free credit monitoring by Experian.) Unlike you and I, Experian is apparently too big to err. Where does that leave the 48 million US residents (per the 2009 American Housing Survey) or 1.2 billion US credit card holders (per US Census Bureau data for 2012) who have to account for the information, misinformation, and compromised information provided by Experian to the curious who have paid for access to its databases? During my home refinancing interrogation, I learned about my apparent responsibility for the credit practices of both my ex-husband's son (only 17-years-old when we divorced) and someone I’ve never met who shares my last name. Why is there no better monitoring of the data integrity AND confidentiality practices of those who purport to monitor ours?

A group of state attorney generals—including Illinois, Connecticut and Missouri—have joined forces to further investigate Experian's practices. Members of Congress are holding hearings and some have proposed (again) a nationwide solution for the patchwork of 47 different state-level data breach notification laws (Alabama, New Mexico and South Dakota have not enacted such law).

Meanwhile, does anyone see the potential conflict of interest with Experian's four lines of business: Credit Services, Decision Analytics, Marketing Services and Consumer Services? It creates a problem by aggregating data (accurate and inaccurate) and selling access to it. Then they receive money to protect against the negative impact of the problem, receive money to report to lenders about those who have been victimized by the problem, and complicates (or denies) individual requests to correct inaccurate data.

And yet, even though Experian serves up the sweetest nuggets of our personal information (at least in terms of what I know will affect me as I try to finance a car, house, or business expense), it is NSA's collection of massive stores of irrelevant, often unstructured, variously formatted, ephemeral data about our phone conversations and texts that attracts more outrage. My image of NSA's data collection practices is the last scene in Raiders of the Lost Ark, when the precious ark so arduously recovered is packed into an anonymous wooden crate that is being rolled by forklift around a warehouse of hundreds of similar crates. Yes, NSA is listening, but the probability of my being a "person of interest" to them is acceptably low, unlike my relationship with Experian.

When will Experian listen?

Part 2: Take Action against Identity Theft


Find out more about our master’s degree in Information Assurance by requesting more information.