Class Action Targets Experian Over Account Security – Krebs on Security

A class action lawsuit has been filed against the big-three consumer credit bureaus Experian over reports that the company did little to prevent identity thieves from hijacking consumer accounts. The legal filing quotes extensively from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to take control of existing Experian accounts simply by signing up for new accounts using the victim’s personal information and another e address.

The lawsuit, filed on July 28, 2022 in California Central District Court, alleges that Experian’s documented practice of allowing the re-enrollment of existing Experian accounts without first verifying that the existing account holder has approved the changes violates

In July’s Experian, You Have Some Explaining to Do, we heard from two different readers who had security freezes placed on their credit files with Experian and who also recently received notifications from Experian that the email address on their account had been changed. So were their passwords and account PINs and secret questions. Both had used password managers to choose and store complex, unique passwords for their accounts.

Both were able to regain access to their Experian account simply by recreating it – sharing their name, address, phone number, social security number, date of birth and successfully collecting or guessing the answers to four multiple choice questions that are almost entirely based on public records (or other information that is not terribly difficult to find).

Here’s some of the story extracted in the class action lawsuit:

KrebsOnSecurity tried to replicate Turner and Rishi’s experience – to see if Experian would allow me to recover my account using my personal information but a different email address. The experiment was conducted from a different computer and Internet address than the one that created the original account years ago.

After providing my social security number (SSN), date of birth, and answering several multiple choice questions whose answers are almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that the new email address could reply to messages or that the previous email address approved the change.

Experian’s system then sent an automated message to the original email address on file saying that the account’s email address had been changed. The only recourse Experian offered in the warning was to log in or email an Experian inbox, which responds with the message “this email address is no longer monitored.”

After that, Experian asked me to choose new secret questions and answers, as well as a new account PIN – effectively erasing the account’s previously chosen PIN and recovery questions. After changing the PIN and security questions, Experian’s website helpfully reminded me that I have a security freeze and would I like to remove or suspend the security freeze?

To be clear, Experian has a business unit that sells one-time password services to businesses. While Experian’s system asked for a mobile number when I signed up a second time, at no time did that number receive a notification from Experian. I also didn’t see any option in my account to enable multi-factor authentication for all logins.

In response to my story, Experian suggested that the reader reports were isolated incidents and that the company is doing all sorts of things it can’t talk about publicly to prevent bad people from abusing its systems.

“We believe these are isolated cases of fraud using stolen consumer information,” Experian’s statement read. “Specifically to your question, once an Experian account is created, if someone tries to create another Experian account, our systems will notify the original email on file.”

“We are moving beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytics capabilities confirm identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and provide additional layers of protection. We takes consumer privacy and security seriously, and we continually review our security processes to protect against constant and evolving threats from fraudsters.”

That sounds great, but since that story ran, I’ve heard from several readers who did everything right and still had their Experian accounts hijacked, with little to show for it except an email alert from Experian that said , that they had changed the address on file for the account.

I’d like to think this class action will change things, but I don’t. Probably the only thing that will come from this lawsuit – if not dismissed outright – is a hefty payout to the plaintiffs’ lawyers and “free” credit monitoring for a few years compliments of Experian.

Credit bureaus do not see consumers as customers, who are instead the product sold to third-party companies. Often, this data is sold based on the interests of the entity purchasing the data, where consumer records can be packaged into categories such as “dog owner,” “parent,” or “diabetic patient.”

A chat conversation between the claimant and Experian support staff shows that he experienced the same account hijacking described by our readers, despite his use of a computer-generated, unique password for his Experian account.

Still, most lenders rely on the three major consumer credit reporting agencies—including Equifax, Experian and Trans Union—to determine everyone’s credit score, fluctuations in which can make or break one’s application for a loan or job.

On Tuesday, The Wall Street Journal broke a story that Equifax sent lenders incorrect credit reports to millions of consumers this spring.

Meanwhile, the credit bureaus continue to enjoy record earnings. For its part, Equifax reported record revenue in the fourth quarter of 2021 of 1.3 billion. Much of that revenue came from the company’s Workforce Solutions business, which sells consumer salary history information to a variety of clients.

The Biden administration reportedly wants to create a public entity within Consumer Financial Protection Bureau (CFPB) that would incorporate factors such as rent and utility payments into lending decisions. Such a move would require congressional approval, but CFPB officials are already discussing how to set it up, Reuters reported.

“Credit reporting firms oppose the move, saying they are already working to provide fair and affordable credit to all consumers,” Reuters wrote. “A public credit bureau would be bad for consumers because it would inappropriately expand government power and its goals would shift with political winds, the Consumer Data Industry Association (CDIA), which represents private rating firms, said in a statement.”

A public credit bureau is likely to face stiff opposition from Congress’s most generous constituents — the banking industry — which loathes rapid change and relies heavily on the credit bureaus.

And there’s a preview of the battle going on right now over the bipartisan US data protection law, which The hill described as one of the most lobbied bills in Congress. The idea behind the bill is that companies cannot collect more information from you than they need to provide you with the service you seek.

“The bipartisan bill, which represents a breakthrough for lawmakers after years of negotiations, would limit the type of data companies can collect from online users and the ways they can use that data,” The hill reported August 3. “Its provisions will affect companies in all consumer-centric industries — including retailers, e-commerce giants, telecommunications, credit card companies and technology companies — that collect vast amounts of user data and rely on targeted ads to attract customers.”

According to Electronic Frontier Foundation, a non-profit digital rights group, the bill, as drafted, falls short in protecting consumers in several areas. First, it would override or preempt many kinds of state privacy laws. The EFF claims the bill would also block Federal Communications Commission (FCC) from enforcing federal privacy laws that now apply to cable and satellite television, and that consumers should still be allowed to sue companies that violate their privacy.

A copy of the class action complaint against Experian is available here (PDF).

William

Leave a Reply

Your email address will not be published.