In Experian We Trust?

The folks at Experian have been receiving a great deal of well-deserved attention recently. Just this week, the states of North Carolina and Iowa joined Connecticut and Illinois Attorneys General in investigating Experian for the alleged access to a database of records on approximately 200 million Americans with information including social security numbers, dates of birth, and email addresses, among other sensitive personal data, by an identity theft service masquerading as a private investigator. That Experian is able to sell the personal data of American’s without explicit consent seems counterintuitive, given that as a credit bureau they are in a “unique position” relative to the (regulated) manner as to how they collect such information. The fact that Experian is also frequently trusted by organizations that themselves have had data breach to care for the affected consumers is downright perplexing.

So why are several state AGs investigating Experian? The Wall Street Journal provides a pretty clearcut answer to this question. In 2012, Experian purchased a company named Court Ventures. Court Ventures, via a partnership with another company – U.S. Info Search – had the ability to sell personal information, including social security numbers, on around 200 million Americans. A Mr. Hieu Minh Ngo, who recently pleaded guilty to operating a business for fraudsters, was a customer of Court Ventures (he admittedly used a false identity to open his account). So effectively, given this chain of facts, Experian (through its subsidiary, Court Ventures) was providing access to a database of sensitive information on 200 million Americans to a Vietnamese man who was selling this information to criminals for perpetrating identity theft.

In addition to the state investigations, as noted by Reuters, Experian also provided testimony to the Senate Commerce Committee, whose membership includes U.S. Senator Claire McCaskill from Missouri. Experian SVP Tony Hadley told Senator McCaskill that “we know who they [the Americans whose personal information was accessed] are and are going to make sure we are going to protect them.” And it doesn’t appear that Experian actually followed through on that promise.

As noted this week by KrebsOnSecurity, Experian seems to have taken an about face as to helping the folks affected by this data breach. In fact in the same committee testimony, Mr. Hadley goes on to state that “there’s been no allegation that any harm has come, thankfully, in this scam.” And per KrebsOnSecurity, “Experian has declined to answer questions about whether it has lifted a finger to help consumers impacted by this scheme, or to clarify its apparently conflicting statements about whether it believes anyone has been harmed by its (in)action.”

And to further this point, US Info Search CEO Marc Martin stated that he has “cooperated and assisted the authorities in their investigation and from the onset have urged Experian to make timely notifications….Experian never notified us of the breach as required by state statute, and to date has not cooperated with our investigation, nor provided us with the queries the suspect ran.”

I would encourage you to read Mr. Krebs post which provides “fact checking” of the Experian talking points. He brings into this discussion a clear dissection of the facts, but also a sense of perspective as to how Experian plays within the credit sphere of our financial ecosystem that is illuminating.

So clearly it hasn’t been a good week for Experian, although I suspect that this data breach would have received much more attention over the last several months had it not been for the small public “distraction” that was the Target breach. I do wonder though whether in the future that organizations will be as inclined to turn to Experian for help when they have a data breach?