October 24, 2013

In the wake of revelations that credit bureau Experian sold consumer data to the proprietors of an underground identity theft service, a powerful U.S. senator is calling on the company to divulge more information on the extent of the potential damage to consumers.

EXPWest Virginia Senator Jay Rockefeller, a Democrat who chairs the Senate Committee on Commerce, Science and Transportation, on Wednesday sent a letter (PDF) to Experian demanding additional details about the security breach. Specifically, Rockefeller asked for responses to questions about Experian’s vetting process for its customers and current practices for sharing consumer data. The senator also urged Experian to fully respond to his related previous inquiries regarding Experian’s customers, its oversight of its disclosure to third parties, and Experian’s data sources.

“The committee’s investigation has focused to date on how companies including Experian collect and sell consumer information for marketing purposes, while the information Experian reportedly sold to identity thieves – such as Social Security numbers and banking information – appears to be data Experian collects and sells for risk assessment activities,” Sen. Rockefeller wrote in the letter to Experian President Donald Robert. “However, if these recent news accounts are accurate, they raise serious questions about whether Experian as a company has appropriate practices in place for vetting its customers and sharing sensitive consumer data with them, regardless of the particular line of business.”

The letter is a follow-up to an investigation that Sen. Rockefeller launched in October 2012 regarding several data brokers — including Experian — to understand how the companies collect, store, and share personal consumer data. According to the committee, Experian is one of several companies that has refused to fully respond to Rockefeller’s request for information – which Rockefeller discussed publicly in this letter.

That 2012 letter was sent to the three major credit bureaus, including Experian, Equifax, TransUnion. Rockefeller also queried Reed Elsevier, the parent company of data aggregator LexisNexis. Last month, KrebsOnSecurity broke a story showing that LexisNexis was among three other data brokers that had been hacked by a cybercriminal gang which operated a competing underground identity theft service — ssndob[dot]ms.

In a statement provided to The New York Times, Experian spokesman Gerry Tschopp said: “We have responded — and will continue to respond – in a very transparent manner to Senator Rockefeller.”

According to The Times, Sen. Rockefeller last month widened his probe, asking a dozen popular Web sites to provide information on their information-sharing practices with data brokers. The sites included in that inquiry were About.com, Babycenter.com, Bankrate.com, Health.com, Investopedia.com, Mensfitness.com and Self.com.

“While some consumers may not object to having their information categorized and used for marketing,” the senator wrote, “before they share personal information, it is important that they know it may be used for purposes beyond those for which they originally provided it.”


56 thoughts on “Senator Demands More Info From Experian

  1. Clyde Tolson

    Why wouldn’t senators office go to FBI for answers instead of dirty company? FBI surely has these answers to questions in letter.

    1. Infosec Geek

      In the US the FBI should not have information about any company’s normal business practices.

      The FBI is a law enforcement agency. It should only investigate when laws are broken. Snooping on law abiding citizens is not accepted practice in the US although it may be tolerated in other parts of the world.

      Also, to support its role in making laws Congress has the power to compel answers to questions. If necessary the Senator can subpoena individuals (like the CEO), put them under oath and require them to answer questions. If they refuse to answer, or perjure themselves, they have committed a crime and can be sent to jail. Thankfully the FBI does not have such powers.

      1. ralph l. seifer

        You yanked me out of my seat with a jolt of 8.0 on the Richter scale when you threw out the comment about snooping on law-abiding citizens is not tolerated in the US.

        That was a truism when the 4th Amendment was written, but virtually ignored in the years since the last decade or so of the 20th century. Ralph L. Seifer, Long Beach, California.

        1. Clyde Tolson

          My point is that the FBI investigated this case and arrested the culprit. Therefore, they know a lot about what happened and can probably answer the questions outlined in the letter. Only a fine outfit like the FBI is skilled enough to successfully prosecute these types of cases and will be able to provide more truthful answers than some CEO looking to protect his company.

          1. Internet Awards Center

            Attention Citizen — We have found your most beneficent and complimentary comment whilst perusing this site and wish to inform you that the U.S. Government will soon be creating an Affiliate Program which is targeted specifically at you! Say “Yes!” to nationalism! Win Prizes! Be the envy of your friends and fellow patriotic Countrymen!

            Big Brother Loves You.

            1. french cil

              bravo
              (that’s all bescause english read but not written)

        2. AlphaCentauri

          There is always a tension between what people try to get away with and what the US Constitution permits. The government has many times spied on US citizens, but if it gets challenged in court, it gets shot down. People got all paranoid after 9/11 and passed laws that are way too intrusive, but to the extent they are still in effect, to a large extent it’s because no one wants to be seen as soft on terrorists, or they want to stay in the good graces of the administration that is handing out grants and issuing regulations, and they don’t challenge them. A law that allows the NSA to hoover up data without specifying who they are interested in and why to get the search warrant, and which prohibits the service provider from notifying people whose data is being accessed so they can go to court and challenge it — that’s just not constitutional. But there’s a shortage of people with the balls to challenge it who have legal standing to do so.

    2. lee

      1) He should probably ask the NSA — they are the ones proactively spying on everyone.
      2) He probably already has, but cannot disclose the depth of the information they have, because it would show too much of the width and breadth of how deeply the NSA is spying on us all.

  2. JCitizen

    I can think of one big stick the senator could hold over their heads; how about the big three reporting agencies doing a better job cleaning up false or inaccurate credit information on individuals in their system?

    If they don’t – they will have to finally start regulating them even more, and let Richard Cordray, the Director of the Consumer Financial Protection Bureau, loose in their offices – kinda like sicking a junk yard dog on a mail man!

    Yeah! That’s the ticket! ]:)

    1. DL

      “… Richard Cordray, the Director of the Consumer Financial Protection Bureau …”

      During his testimony to Congress, he convinced me that the CFPB’s primary objective is gathering credit card and other financial data to construct transaction profiles for every US citizen.

      The three credit reporting agencies are likely data providers to the agency.

      1. DefendOurFree

        A tidbit on the Consumer Financial Protection Bureau. When I filed my complaint with them on my own doxing, the CFPB snail mailed me a form to sign to authorize the review of my credit reporting history.

  3. Maureen

    I’d like to know the names of the seven people who don’t object to their information being used for marketing. It shouldn’t be about objecting; it should be about not happening unless someone specifically requests it. This is disgusting.

  4. James Reinhard

    Adobe, who was hacked, is sending affected customers to Experian to receive free credit reports and credit and identity theft protection. Experian is asking for SS#s in order to sign up for the service. If I read the above article correctly, Experian is exposing customers to identity theft and fraud as well. Adobe needs to address this issue.

  5. Margaret Bartley

    We need to have it firmly established in the public’s mind as well as in law that consumers have the right to know everything that is being held in a database base about them, and who is accessing that data and when.

    Anything less is leaving us open to criminals and tyrants.

  6. Cool_AC

    My man Jay Rockefeller!

    One of the few people in congress that really understands and cares about this issue and wants to educate the public. I saw him talk for an hour one day about how common it is for hackers to hack you just for fun! And how he gets into arguments with friends of his that are CEO’s of big companies that don’t take the issue seriously.

    Its shocking to me though how much info Experian sells like its no big deal! The balls on that company to especially sell it overseas. Social Security numbers and banking information being sold? How can that even be legal in any circumstance?

    Its ironic how people are worried about the NSA, who prolly don’t even open most of the data they have, when it seems corporations selling meta data on ALL of us is big business!

    I really sad that JR is retiring…

  7. PJ

    Great as always, Brian!

    I notice you’ve not commented on the arrest of the Blackhole Exploit Kit author, Paunch. I’d love to see an article with your thoughts and insights on this, having enjoyed your writing on exploit kit authors before.

    Keep doing what you’re doing!

  8. ET

    Apparently Experian also sells information to private companies such as Fedex. Fedex offered me an opportunity to sign up for a new service and the “security” questions came straight from my credit report. My credit report has wrong information for one field and I don’t correct it because it’s a dead giveaway that my credit report information is being sold to 3rd party companies.

    1. Maureen

      The security questions are the same for many websites. You still have to choose your answer. (But I’m not saying Experian didn’t sell to FedEx. I wouldn’t be surprised at anything at this point.)

      1. Ed

        Actually, for Fedex, the past history information had to have come from my credit report.

    2. Some User

      Welcome to https://www.privacyrights.org/fs/fs31-CIP.htm — another fine provision of the Patriot Act which does a handy job of further lining pockets of the Powers that Be. Decide on a problem. Create a law. Have a very limited number of well-positioned, heavily funded companies the only ones that can provide a service. Profit.

  9. IA Eng

    Letters from the government are nice, but they do little. I say that because I have seen the same trend from the SAIC incident a few years ago involving the TRICARE debacle, where SAIC was in violation of a lot of issues.

    The governement sent a letter, and then another, and in the end, all I saw was a comment about the government cannot believe SAIC was still allowed to bid on contracts with the history of violations it has received. Great a comment, how about ACTION ?

    The letters go out. Its close to the election. Its a ploy to say they took initiative to correct the Experian issue. By the time the response comes back from Experian, and the tennis match begins, all associated partners int he deal may be on oxygen masks and wheel chairs – (if they are in the government with some sort of voting power, they may already be in that condition – – Out with the extremely old ! )

    Kindler, gentler punishment coming soon. Bah Humbug.

  10. Doc

    Isnt Experian one of the companies supporting Obamacare’s imploding healthcare.gov? Google “healthcare.gov experian” for lots of articles. Apparently experian is handling some portion of the authentication process. So, its arguable, our new healthcare website is already quite compromised before they have even gotten it working……

    1. CoolAC

      Yes they verify the income. They have nothing to do with the website.

      The website is all CGI and QSSI. In my state the website works fine…

    1. Infosec Geek

      there are more honest politicians than people want to believe.

      believing they are corrupt makes it their fault. realizing they are not corrupt makes it the fault of the voters who elected them.

      want to see who caused the problems in Washington? look in the mirror. countries get the government they deserve.

  11. The Oregano Router

    The United States Congress can’t even get a bill passed into law, so now they are expecting answers from Experian. What a ******* joke

  12. Cool_AC

    Well JR is chairman of commerce, chairman of science, and is on intelligence. He’s really not out of touch and understands this issue better then most of us. As Brian points out hes been on top of them for over a year, and maybe thats why they were being investigated in the first place. I hope they follow up.

    One thing about old guys in congress, is they have seniority, more people owing them favors, and more of a relationship with other congress members, so way more pull. But then again you look at the teabaggers and how they almost rocked our world with their freshmen members, almost as if Bohner was being blackmailed. Money only buys votes…. But thank goodness for the wisdom and sense of Mitch McConnell.

    I was laughing at the VP of CGI looking at Dingell like he was a cute little old man…lol

    http://www.youtube.com/watch?v=34Y7rjN9yD4

    1. Robert

      Hopefully Mitch will not be long for his office due to being spineless.

      One thing you can say about the “freshmen members” They kept their campaign promise. That’s more they I’ve seen out of most of them from either party. This country might turn around for the better if we flushed all the senior career politician’s and they were all freshmen.

      If Rockefeller can bring the credit companies to heel I support him 100%. Maybe he can also do the same to the NSA.

  13. J Peterson

    Only yesterday I received a letter from Adobe giving me a one-year credit monitoring membership at Experian, which is related to their fiasco that took place between September 11 and September 17.

    Talk about the lesser of two evils!

    1. Some User

      I’ve often wondered what goodies are sprinkled upon people whose information gets breached more than once in a one-year period… Do they just say ‘oh, we’ll add another year onto your monitoring, buddy’? Do you get nothing? Maybe they should start sending the amount you’d pay for monitoring to you as a rebate check — actually this would be a whole lot more interesting to me. Either way, one can assume most of this is one hand washing the other (with a handy tax write-off to boot), right?

  14. Amy Polnoff

    You are awakened! Sign these petitions. Let’s get all our Senators, Governors, Congressmen and women and President Barack Obama on this train!

    http://www.thepetitionsite.com/544/525/780/stop-the-invasion-of-our-privacy/

    http://www.thepetitionsite.com/698/558/689/tell-governor-jerry-brown-to-stop-the-invasion-of-our-privacy-for-corporate-profit/

    http://www.credomobilize.com/petitions/tell-president-barack-obama-the-privacy-of-the-us-citizens-is-just-that-private

    https://www.causes.com/campaigns/34874-stop-companies-from-selling-personal-information-online

      1. Amy

        Why not support something in an effort to make a difference? Your attitude is why our government isn’t listening to the people. No one wants to stand up and be heard in ALL the avenues to get your voice heard. And I’ve yet to see any statistics that reflect petitions do not make a difference. If this were true, why are they being effective in so many political venues? Care 2 Causes, Causes and privacy rights all have articles and follow ups showing petitions being instrumental in making a difference. Stop being negative and make an effort to do something other than deterring others from joining together because you made an uneducated statement and deterred them from making a difference!!!!!

        1. Peter

          Don’t feed the troll, Amy. If more regular Americans had your sense of action, maybe more things would change. Trolls like “Some User” love to hear themselves talk, put people down, and get a rise out of others.

          1. Some User

            Um, what? I’m advocating people STEP AWAY FROM THEIR COMPUTER and actually show their faces, do actual things people can’t ignore. Make appointments with their representatives, talk to people on the street, have them call their representatives, do something other than sign their names to petitions that are duplicated a million times over and don’t do a thing (or godforbid doing what Anonymous seems to think they’re doing — “hacktivism” making things worse, their style).

            Clearly the way people have been approaching things has not made any meaningful differences. Everybody just ignores what they don’t want to see/hear. Unless it’s an election year, then they’ll pay it lip service til people forget.

            I’m advocating people DO MORE and you’re calling me a troll? I give up.

            Enjoy your life.

  15. Skaldcrow

    Filed under ……..A little sunshine : The coming storm.

    I am amazed no one else gets it Brian, the deliberate existential anarchy created by Gramsci’ites, Fabians & Corporate Socialists.

  16. Marty

    Note that the senator’s letter has your website address wrong in footnotes 2, 3, and 4. He lists it as “krebsecurity.com” rather than “krebsonsecurity.com”. Good luck to anyone who tries to use those erroneous web references to verify the postings!

  17. Some User

    You know what’s a great idea? Writing about people in power bleating about things to raise their profile like this Senator, while at the same time having his administration push stuff like this in your home state:

    http://www.timesdispatch.com/news/state-regional/government-politics/va-starting-to-develop-a-master-identity-database/article_772d70fe-28ac-11e3-95ec-001a4bcf6878.html

    When are you going to start writing about the erosion of privacy and how it contributes to crime (perhaps is even the main contributor to crime) instead of assuming that crime alone is the story?

    1. Aiding the Enemy

      He is to0 scared to talk about sensitive issues like that , he may end up in jail or something — for Aiding the Enemy or for some other stupid changes they may bring against him .

      1. Some User

        I’ve actually been thinking it probably has to do with maintaining the sources he built up in his time at WaPo. It can’t be easy having started your career in one of the most prickly parts of the country, where one hand constantly washes the other or can’t get a phone call received/put through and then going independent.

        But this is really part of the problem (not that Brian would argue against the programs, I think, at this point, from the slant I’ve picked up from his articles) — when the media can’t address things in any questioning direction without negative repercussions, it leads to a behavioural modification scenario: acting one way gets rewarded, acting another way gets punished; default tends to lead towards getting rewarded. This is magnified by social media and ‘everyone’s a journalist’ — favouritism becomes ‘the norm’ and it’s easy to dismiss people if they don’t write things your way.

        The problem becomes, when issues aren’t addressed at all, one is tempted to think the worst vis a vis ‘influence’.

        1. Peter

          Don’t feed the troll (Some User). Scandals like what is going on with our national surveillance policies tend to suck all of the oxygen out of the room, making other security and or privacy stories seem miniscule by comparison. But that doesn’t mean journalists shouldn’t pursue them.

          Mr. Krebs does reporting that no other reporters are doing on topics that no other journalists can even touch. Go troll another blog if you’re unhappy he’s not chasing the NSA story like all the rest of the churnalists.

          1. Some User

            I never said I wanted him to pursue the NSA story — why do you assume all problems with privacy that are condoned and paid for by the government have to be a story about the NSA? That’s like saying Brian should only write one story about skimmers — and oh that should’ve been in 2004.

            If he’s talking about matters like Experian and data for sale, he should be bringing up matters like HOW this is possible, WHY it is possible, WHO benefits, etc — and perhaps offering some insight into things instead of towing a singular party line that goes something like “This bad, this so bad.”

            He isn’t in the FBI, he doesn’t work for the DOJ (that I know of), and he has no constituents to blow smoke up the asses of. Is it much to ask for him to acknowledge that a lot of the matters he discusses in stark black and white terms are not as black or white as tend to get written up? Is it terrible to suggest that the journalist’s job is to provide insight and provoke thought in the reader instead of giving them a paint-by-numbers of how they “should think”? He’s won articles for *journalism*. If he wants to just be a blogger, that’s all well and good but I think it’s an insult to journalism as an art to insinuate that there’s only one side to some of the stories he writes about.

            This doesn’t make me dislike Mr. Krebs. It does make me curious why you’d call me a “troll” for bringing these issues up.

            1. Some User

              NB: You may say this makes me ‘not his target audience’, but if that’s the case then clearly nobody should read anything that disagrees with them and request a dialogue, right? Agree or go away?

  18. Katrina Lowe

    Very impressed with Senator Rockefeller’s concern about the privacy of American citizens. I would have raised my eyebrows about the sincerity of his probe if this had been the first time he’d started asking questions, but it appears he’s been involved with this sort of thing for some time now. We’ve been hearing so much BAD about Congress these days, so it’s nice to learn something GOOD.

    The majority of Americans today don’t bother to read privacy policies and sign off with consent without blinking an eye. Though Experian is most definitely to blame for selling sensitive data, how many other websites have we used, given up our PII, and not known that they had a “right” to offer that information to third parties—all because folks were too lazy to read through the privacy policy?

    The fact that Sen. Rockefeller is a member of Congress is a good thing. His status can (and will) inform those individuals who have no idea of what’s going on underneath that https.

  19. J Cook

    Did I miss something in all the articles related to this about who is responsible for the attacks? Who or what entity is behind the hack?

    1. IA Eng

      When the trait called “attention to details” is reborn.

Comments are closed.