August 5, 2022

A class action lawsuit has been filed against big-three consumer credit bureau Experian over reports that the company did little to prevent identity thieves from hijacking consumer accounts. The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim’s personal information and a different email address.

The lawsuit, filed July 28, 2022 in California Central District Court, argues that Experian’s documented practice of allowing the re-registration of accounts without first verifying that the existing account authorized the changes is a violation of the Fair Credit Reporting Act.

In July’s Experian, You Have Some Explaining to Do, we heard from two different readers who had security freezes on their credit files with Experian and who also recently received notifications from Experian that the email address on their account had been changed. So had their passwords and account PIN and secret questions. Both had used password managers to pick and store complex, unique passwords for their accounts.

Both were able to recover access to their Experian account simply by recreating it — sharing their name, address, phone number, social security number, date of birth, and successfully gleaning or guessing the answers to four multiple choice questions that are almost entirely based on public records (or else information that is not terribly difficult to find).

Here’s the bit from that story that got excerpted in the class action lawsuit:

KrebsOnSecurity sought to replicate Turner and Rishi’s experience — to see if Experian would allow me to re-create my account using my personal information but a different email address. The experiment was done from a different computer and Internet address than the one that created the original account years ago.

After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.

Experian’s system then sent an automated message to the original email address on file, saying the account’s email address had been changed. The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, “this email address is no longer monitored.”

After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account’s previously chosen PIN and recovery questions. Once I’d changed the PIN and security questions, Experian’s site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?

To be clear, Experian does have a business unit that sells one-time password services to businesses. While Experian’s system did ask for a mobile number when I signed up a second time, at no time did that number receive a notification from Experian. Also, I could see no option in my account to enable multi-factor authentication for all logins.

In response to my story, Experian suggested the reports from readers were isolated incidents, and that the company does all kinds of things it can’t talk about publicly to prevent bad people from abusing its systems.

“We believe these are isolated incidents of fraud using stolen consumer information,” Experian’s statement reads. “Specific to your question, once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file.”

“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”

That sounds great, but since that story ran I’ve heard from several more readers who were doing everything right and still had their Experian accounts hijacked, with little left to show for it except an email alert from Experian saying they had changed the address on file for the account.

I’d like to believe this class action lawsuit will change things, but I do not. Likely, the only thing that will come from this lawsuit — if it is not dismissed outright — is a fat payout for the plaintiffs’ attorneys and “free” credit monitoring for a few years compliments of Experian.

Credit bureaus do not view consumers as customers, who are instead the product that is being sold to third party companies. Often that data is sold based on the interests of the entity purchasing the data, wherein consumer records can be packaged into categories like “dog owner,” “expectant parent,” or “diabetes patient.”

A chat conversation between the plaintiff and Experian’s support staff shows he experienced the same account hijack as described by our readers, despite his use of a computer-generated, unique password for his Experian account.

Most lenders rely on the big-three consumer credit reporting bureaus, including Equifax, Experian and Trans Union — to determine everyone’s credit score, fluctuations in which can make or break one’s application for a loan or job.

On Tuesday, The Wall Street Journal broke a story saying Equifax sent lenders incorrect credit scores for millions of consumers this spring.

Meanwhile, the credit bureaus keep enjoying record earnings. For its part, Equifax reported a record fourth quarter 2021 revenue of 1.3 billion. Much of that revenue came from its Workforce Solutions business, which sells information about consumer salary histories to a variety of customers.

The Biden administration reportedly wants to create a public entity within the Consumer Financial Protection Bureau (CFPB) that would incorporate factors like rent and utility payments into lending decisions. Such a move would require congressional approval but CFPB officials are already discussing how it might be set up, Reuters reported.

“Credit reporting firms oppose the move, saying they are already working to provide fair and affordable credit to all consumers,” Reuters wrote. “A public credit bureau would be bad for consumers because it would expand the government’s power in an inappropriate way and its goals would shift with political winds, the Consumer Data Industry Association (CDIA), which represents private rating firms, said in a statement.”

A public credit bureau is likely to meet fierce resistance from the Congress’s most generous constituents — the banking industry — which detests rapid change and is heavily reliant on the credit bureaus.

And there is a preview of that fight going on right now over the bipartisan American Data Privacy and Protection Act, which The Hill described as one of the most lobbied bills in Congress. The idea behind the bill is that companies can’t collect any more information from you than they need to provide you with the service you’re seeking.

“The bipartisan bill, which represents a breakthrough for lawmakers after years of negotiations, would restrict the kind of data companies can collect from online users and the ways they can use that data,” The Hill reported Aug. 3. “Its provisions would impact companies in every consumer-centric industry — including retailers, e-commerce giants, telecoms, credit card companies and tech firms — that compile massive amounts of user data and rely on targeted ads to attract customers.”

According to the Electronic Frontier Foundation, a nonprofit digital rights group, the bill as drafted falls short in protecting consumers in several areas. For starters, it would override or preempt many kinds of state privacy laws. The EFF argues the bill also would block the Federal Communications Commission (FCC) from enforcing federal privacy laws that now apply to cable and satellite TV, and that consumers should still be allowed to sue companies that violate their privacy.

A copy of the class action complaint against Experian is available here (PDF).


63 thoughts on “Class Action Targets Experian Over Account Security

  1. Kishore Kumar

    ‘Likely, the only thing that will come from this lawsuit — if it is not dismissed outright — is a fat payout for the plaintiffs’ attorneys and “free” credit monitoring for a few years compliments of Experian.’

    Thank you for stating this, Brian! Now that you’ve called them out by putting this bit in writing, there’s a good chance that the public would get to see a genuinely positive outcome. And not just a payout for a few, without any real changes in processes.

    The world needs more people like you. In every field of life.

  2. ILoveKrebs

    Brian Krebs, I don’t know how you do it but we love you

  3. timeless

    > I can assure you that we were not hacked.
    > We can shut down your membership for you and make it to where nobody even yourself can _not_ have access until you send in documents proving your identity if you would like? – Amanda

    The double negatives are hard…

  4. Bill Ender

    Brian: As I noted in our exchange Re your earlier post Re the Experian hack, TransUnion has a similar account takeover (ATO) problem; but at least they don’t allow anyone with PII to create a duplicate account in order to redirect all communications Re a compromised account to a different email and phone. But TransUnion’s “solution” to this problem is to just block your account permanently and disable access via their Web portal — forcing consumers to use the phone to request credit report copies or account freeze/unfreeze. Essentially, they admitted to me that they can’t fix their ATO problem.

  5. Kevin Brown-Goebeler

    Frankly I am quite surprised that the banking industry would oppose this legislation. If I were a banker I would want quality information, properly vetted, verified, and SECURED but it seems all too easy for the big Three agencies to provide them with garbage.

    1. KFritz

      Three possible reasons I can think of, really quickly. First, they themselves might then be subject to similar legislation that would rein in their own abuses. Second, as BK implied, they’d have spend some of their own money doing what the credit bureaus do now. Third, blind allegiance to non-regulation, no matter how much the allegiance flies in the face of sense and decency.

    2. anon

      to add to what Kfritz has said, another simple reason would be that using this new source would require updating processes, aka ‘change’, which costs them money.

  6. cfb

    i was hacked in 2019; I discovered it May 2022. Turns out a fraudulently aquired 10k credit card from CapitolOne, points to someone being able to do exactly this to my file at Experian. It’s Aug 2022. I still can’t access and manage my experian file. They have my faxed documents to prove my identity, but apparently the stack of similar documents is so big, they can’t even tell me “when'” they will get to mine. In fact once hacked at Experian the resolution they offer people is for you to use snail mail (postal mail being a likely culprit of how I got hacked in the first place), to upload your most highly sensitive personal data. Did you know putting a fraud alert on your files results in stopping pre-approved credit card offers — I mean everyone should do that immediately to stop the spam and reduce the risk of a mail theif stealing your identity. Sadly I found joining the class action vs CapitalOne seems impossible because guess what… they don’t have “me” on file, so I have to guess that notification went to the hacker. No they are not trying to protect our identities..

  7. NotHappyWithExperian

    I am going through a similar problem with Experian.

    I was locked out of my Experian account. Instead of helping me recovery my account the Experian phone representative (which was a chore in itself to even reach a live person) told me to create a new account with different email. I told her I only have 1 email address and want to get my account control back not set up a second Experian account. She advised me to create a new email address so I can create a new Experian account with that new email. So, clearly this is something Experian not only knows about but is telling legit consumers (and likely scammers) to do!

    I sent Experian a letter via registered mail over 30 days ago trying to recover my account which I still can’t access and still have no response. At the same time all this was going on someone tried to use my info to open a credit card. I am fairly certain it is linked to Experian.

    Very frustrated by the whole Experian experience.

  8. Sebastian

    you having my help by 100€ in this lawsuit.

  9. Philip

    My account was hijacked in April 2021. I called Experian. They wouldn’t help at all. So I just had to recreate the account and take it back.

  10. Maria

    Experian sent all the wrong info to a creditor I applied to. Called to straighten it out – was told to call back in a few days. Now can’t get a human and cant file a dispute online.

  11. Frank Wassner

    I have been a victim of this security breach.
    Do I need to file a report in order to be included?

  12. JC

    Thank you for your diligence on these Security issues. I had an Experian account to (BOOST) my credit. I found it lacking and shallow, not finding things to count they could have. Maybe only companies favorable to them matter in their selections? who knows? Long story short, I deleted my account after both accounts I had (connected) to their Boost feature were used without my consent. Had to involve Police reports on one. That was the only place online I had both listed. Told them maybe I should join that Class Action lawsuit? They send me a barrage of emails like Ads and promotions why they’re so great *in their own minds* Uh huh. DELETE it I told them. It’s gone now. There are other places NOT so careless about people’s private data. My Credit is very good now and getting better even without Experian. My advice to others? Don’t use them.

  13. Ken

    Most of these companies have CISOs with MBA who have zero security engineering background thus completely useless. We the customers are victims while US keep losing its IT technical competence to third world countries outsourcing most of the IT jobs. You just end up with worthless management team who do not understand how to secure customer data.

  14. Trae phillips martin

    I was hacked in 2019 and filled a report witg the fcc thinking it was only t-mobile and have always had experian changed my email before the beeach was descovered never changed my address was never told my data was breached but have filled countless disputes about things wrong or added to my report. Things have been takin off but has not fixed the credit and im just now finding out i was part of all this even though i have been reporting misconduct for yours now. Looking for leagle add in this matter.

  15. AK

    What company in the business of reporting consumers most important and private data, should be allowed to NOT have a customer service emergency line, when that very consumer data is in jeopardy in real-time?

    I too received an email for an unauthorized change of address. I responded by following their instructions to login to my account (which I could not do because aspects of my login had been changed, e.g. email address/username), request a password change, (which I could also not do as my email was no longer associated with the account). I reached out to Experian for help and got a useless, state-the-obvious reply to do what I had already attempted. This time in trying, I stupidly used the ‘forgot username’ feature, only to have the password reset sent to partially obscured and completely unknown email address that ended in ‘mail.ru’!!! Unbelievable!!!! Now in a panic, and working against time, I separately scoured the internet in hopes of finding a live CS number for these A-H***s. Five different 800 numbers and 1 hour of ‘phone tree f**k-fest’ later, I still have no human contact, so I have been barraging their original CS email address with requests to act now and make no changes to the account since their original date of contact with me!

    This company has no right to even be acknowledged by me, much less have a business relationship with me. I was an ID theft victim about 6 years ago, and it was then that I had to create the account with them in the 1st place. Since then, it has been nothing but a barrage of emails and requests to ‘upgrade my account’ to a paid tier.

    These guys are not just useless, their sieve-like security practices make them a threat, not a vault for consumer data. they do not deserve to be trusted with the data of anyone with a pulse.

    Since this is happening in real-time, I now have a great night ahead of me of changing passwords everywhere for everything, in the interest of caution and common sense, while my credit report and all its contents gets poured over in real time by a Russian ‘comrade’ on the dark web! Thanks Experian, you’re the best®!!

Comments are closed.