Credit Reporting Companies

["Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

Hi Everyone:



As a standard part of our Identity Theft Awareness presentations and as a
standard part of our breach notification letters we tell people how to go
about receiving their free credit report(s) from Equifax, Experian, and
Trans-Union.  We walk them through the process outlined by the Federal Trade
Commission materials and have them pull a report from one company first,
then wait 4 months and pull one from the other, etc.



Here's the Issue and Question:



I have recently received two complaints from members of my community that
when you contact Experian they are pushing their Credit Insurance program so
hard that they are "fraudulently charging credit cards" (not my words - see
the email I received below) for the service without making the consumer
fully aware of what they are doing.



Any suggestions as to who I should lodge a complaint with or as to an easy
way to instruct folks on how to avoid this trap?  When we notify them that
their data may have been breached they are already a bit upset - to then
have the Credit reporting agency (who is supposed to help them) take
advantage of them further is causing a bit of pain on our side as my
department is much more accessible on the phone than someone from Experian.



-Kevin



Recent Email Received:



Dear Infosec department,



Last year I attended a security awareness seminar offered by your department
in ERC 427 - I believe it concentrated on identity theft.  The speaker said
that federal law allows everyone one free credit check per company per year
and instructions were given stating how to do this, in particular a web
address was given.  I did this and saw my report.  Then a few months later
my wife and I noticed a disguised charge on our credit card statement.

Instead of Experian we saw something like CC-01-12 or something like that.

Upon investigating we discovered, to our horror, that Experian was charging
us for something that we did not want and did not knowingly ask for.  So it
appears your presentation has inadvertently led to supporting fraud or at
least unethical behavior by at least one and possibly other companies. I
believe we will be reimbursed by the credit card company as a fraudulent
claim but the fact that this is so routine staggers my mind (check the web
for incredible numbers of similar complaints).  I suggest you do not tell
people that credit check companies give a free credit rating because that
appears to be entirely misleading - it is more like the first month is free

- but they do not tell you that in any plainly visible location.  I realize
there is a way to carefully step through the process to avoid the problem
but I think most people will lose their balance and fall into the pit so it
seems better not to mention it at all or provide an up-to-date website
showing, step-by-step, exactly what buttons to press for each of the credit
reporting agencies.



Sincerely,







Kevin L. McLaughlin

CISM, CISSP, GIAC,PMP, ITIL Master Certified

Director, Information Security

University of Cincinnati

513-556-9177 (w)

513-703-3211 (m)

513-558-ISEC (department)





 UC-Logo-800




CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential,
intended solely for the addressee, and may be legally privileged. Access to
this message and its content by any individual or entity other than those
identified in this message is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of this e-mail may be
unlawful. Any action taken or omitted due to the content of this message is
prohibited and may be unlawful.

Attachment: smime.p7s
Description: