Experian defends database security practices in face of investigations

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://nakedsecurity.sophos.com/2012/11/20/experian-security-practices/

Experian: 2,500 customer records exposed in 2006.

TransUnion: 3,623 in 2005.

And beyond those, listed again and again in the lists at
DataLossDB.org, dating back to 2005 and still going strong today, are
dozens of instances of an "unknown" number of names, addresses, dates
of birth, social security numbers, and driver's license numbers
accessed from Equifax, Experian, and TransUnion, spread out in
breaches that span the years.

Experian, for one, is defending its security practices after Bloomberg
published a report late last month about flaws in how credit reporting
agencies protect their databases.

In that report, Bloomberg's Jordan Robertson tallied 86 data breaches
since 2006 that demonstrate how attackers avoid directly targeting the
credit reporting agencies, instead going after affiliated businesses -
such as banks, auto dealers and even a police department - that rely
on the agencies for background credit checks.

Those breaches lead to the theft of almost 15,500 credit reports since 2006.

As a result of Robertson's report, Ireland's Office of the Data
Protection Commissioner, which enforces privacy law in the country, is
now investigating Experian's security practices.

To breach Experian, hackers are known to have broken into computer
networks of its customers, stealing their passwords to access credit
reports online.

Ireland's regulators aim to find out whether Experian can be held
responsible for failing to detect such fraud.

A spokesman for Experian declined to comment, but told Robertson in an
email that the breaches were:

"isolated security issues experienced by a small number of our clients
in North America involving US consumers under US data-protection
jurisdiction."

In fact, Experian's clients bear the responsibility to monitor and
maintain the security of their own systems and credentials, the
spokesman said.

The spokesman said that Experian, for its part, uses:

"sophisticated technology to detect anomalies that might indicate
suspicious activity in systems access, which we immediately flag to
the client and, when appropriate, to consumers and law enforcement."

Whether such "sophisticated technologies" are enough is a question
that's under investigation by both houses of the US Congress, which
are looking into data collection (and, potentially, security)
practices of Experian, Equifax and TransUnion.

At least one of the stories of breached customers underscores how
Experian could well be held accountable for database breaches.

Abilene Telco Federal Credit Union, a small bank in west-central
Texas, had its online password to Experian stolen last year. In
lightning-fast time, 847 credit reports were stolen, including those
from people who'd never done business with the bank.

As Robertson writes, Experian should have been alerted to fraud
because the number of credit reports exploded beyond the bank's
typical monthly draw: usually, it had a monthly bill of $100 or less,
but the fraudulent transactions sent that up to $3,493.73.

On top of that, the attack began on a day when the bank was closed.

Robertson may well have tallied one slice of the pie, but the truth
is, nobody can say for sure how many credit-reporting agency records
have been compromised, because the agencies' lips are just about glued
shut.

As the New York Times reported about database marketing company
Acxiom, beyond personally identifiable information such as social
security numbers, name, address, credit card information and the like,
data aggregators' "prying eyes" look deeper than the FBI or the IRS to
find information including "age, race, sex, weight, height, marital
status, education level, politics, buying habits, household health
worries, vacation dreams - and on and on."

A group of US Congressional representatives in July demanded more
transparency from the agencies, noting that consumers are in the dark
about the identity of data brokers, how they collect personal
information, and to whom they sell or provide this information.

The administrator of DataBreaches.Net, who goes simply by the title
"admin" and who in April filed a complaint about Experian with the US
Federal Trade Commission (FTC), says that we simply don't know how
many compromises of client logins transpire, since only a minority of
US states have a central repository of breach reports, and fewer still
make such reports readily available on a public site.

S/he writes:

Much of what we know about Experian’s breaches we know only because
volunteers at DataLossDB.org - this blogger included - file for
reports under Freedom of Information laws. Experian’s breaches would
likely have continued to evade public or Congressional scrutiny
because there is no national central repository of breach reports
available to the public and Congress. We need to remedy that.

"Admin" lauded the efforts of lawmakers on behalf of consumers and
expressed his/her hope that state attorney generals open their own
investigations, to:

"determine if their residents are being adequately protected from
breaches involving data-rich credit reports."

That's a wise call to arms.

Kudos to the US lawmakers and the Irish regulators for demanding transparency.

Let's hope this attention goes beyond a demand for transparency,
though, and that at the end of the day we see attention being paid to
the additional database protections that we should demand from data
brokers.

The story of Abilene Telco shows that, "sophisticated" technology or
no, they can be doing a lot more than just leaving security mostly up
to customers.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.