Credit reporting company Experian plc is in the news for the wrong reasons again, with a report claiming that identity thieves exploited a security weakness on its website to obtain credit reports.
KrebsOnSecurity reported today that identity thieves are successfully exploiting the Experian website to obtain credit reports by using a person’s name, address, birthday and Social Security number. The security flaw was first detected by a security researcher in Ukraine who discovered the method after spending time on Telegram chat groups dedicated to exploiting compromised identities.
The Experian website ostensibly required several questions to be answered to obtain a credit report, but the identity thieves discovered that they could trick Experian into giving them access to credit reports. Obtaining access was as simple as editing the address displayed in the browser URL bar at a specific point in the identity verification process.
Brian Krebs tested the method with his credit report and found it worked, “even though Experian said it couldn’t tell that I was actually me.” Dumbfounded by the result, Krebs asked a trusted security source to try the method to recreate his findings and the expert did.
Krebs shared his findings with Experian on Dec. 23 with a confirmation that the email had been received on Dec. 27. At some point between those two dates, Experian changed its code to prohibit unconfirmed access to credit reports.
How long this method was being exploited by identity thieves is unknown, nor is the number of potential credit reports stolen, but the implications are clear. Credit reports provide a rich trove of data that can be exploited in multiple ways, from phishing to extortion and just about any scam that utilizes personal information.
This is not the first time Experian has made headlines for security issues and given its history. In 2021, a security researcher uncovered an unprotected application programming interface that exposed the credit scores of almost every person in the U.S. Further back in 2015, hackers stole personal information belonging to 15 million Americans.
Experian is also not alone in the credit reporting industry for data leaks and hacks. Its main competitor Equifax Inc. was hacked in 2017, resulting in a congressional inquiry and a $700 million lawsuit settlement.
That yet another credit reporting agency has been exposing data raises questions about how the industry is being regulated.
“The credit bureaus are poorly regulated, act as if they are above the law and have thumbed their noses at Congressional oversight,” Senator Ron Wyden told Krebs. Wyden added that the U.S. Federal Trade Commission and the Consumer Financial Protection Bureau must do more to protect Americans from credit bureaus.