August 5, 2022

A class action lawsuit has been filed against big-three consumer credit bureau Experian over reports that the company did little to prevent identity thieves from hijacking consumer accounts. The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim’s personal information and a different email address.

The lawsuit, filed July 28, 2022 in California Central District Court, argues that Experian’s documented practice of allowing the re-registration of accounts without first verifying that the existing account authorized the changes is a violation of the Fair Credit Reporting Act.

In July’s Experian, You Have Some Explaining to Do, we heard from two different readers who had security freezes on their credit files with Experian and who also recently received notifications from Experian that the email address on their account had been changed. So had their passwords and account PIN and secret questions. Both had used password managers to pick and store complex, unique passwords for their accounts.

Both were able to recover access to their Experian account simply by recreating it — sharing their name, address, phone number, social security number, date of birth, and successfully gleaning or guessing the answers to four multiple choice questions that are almost entirely based on public records (or else information that is not terribly difficult to find).

Here’s the bit from that story that got excerpted in the class action lawsuit:

KrebsOnSecurity sought to replicate Turner and Rishi’s experience — to see if Experian would allow me to re-create my account using my personal information but a different email address. The experiment was done from a different computer and Internet address than the one that created the original account years ago.

After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.

Experian’s system then sent an automated message to the original email address on file, saying the account’s email address had been changed. The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, “this email address is no longer monitored.”

After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account’s previously chosen PIN and recovery questions. Once I’d changed the PIN and security questions, Experian’s site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?

To be clear, Experian does have a business unit that sells one-time password services to businesses. While Experian’s system did ask for a mobile number when I signed up a second time, at no time did that number receive a notification from Experian. Also, I could see no option in my account to enable multi-factor authentication for all logins.

In response to my story, Experian suggested the reports from readers were isolated incidents, and that the company does all kinds of things it can’t talk about publicly to prevent bad people from abusing its systems.

“We believe these are isolated incidents of fraud using stolen consumer information,” Experian’s statement reads. “Specific to your question, once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file.”

“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”

That sounds great, but since that story ran I’ve heard from several more readers who were doing everything right and still had their Experian accounts hijacked, with little left to show for it except an email alert from Experian saying they had changed the address on file for the account.

I’d like to believe this class action lawsuit will change things, but I do not. Likely, the only thing that will come from this lawsuit — if it is not dismissed outright — is a fat payout for the plaintiffs’ attorneys and “free” credit monitoring for a few years compliments of Experian.

Credit bureaus do not view consumers as customers, who are instead the product that is being sold to third party companies. Often that data is sold based on the interests of the entity purchasing the data, wherein consumer records can be packaged into categories like “dog owner,” “expectant parent,” or “diabetes patient.”

A chat conversation between the plaintiff and Experian’s support staff shows he experienced the same account hijack as described by our readers, despite his use of a computer-generated, unique password for his Experian account.

Most lenders rely on the big-three consumer credit reporting bureaus, including Equifax, Experian and Trans Union — to determine everyone’s credit score, fluctuations in which can make or break one’s application for a loan or job.

On Tuesday, The Wall Street Journal broke a story saying Equifax sent lenders incorrect credit scores for millions of consumers this spring.

Meanwhile, the credit bureaus keep enjoying record earnings. For its part, Equifax reported a record fourth quarter 2021 revenue of 1.3 billion. Much of that revenue came from its Workforce Solutions business, which sells information about consumer salary histories to a variety of customers.

The Biden administration reportedly wants to create a public entity within the Consumer Financial Protection Bureau (CFPB) that would incorporate factors like rent and utility payments into lending decisions. Such a move would require congressional approval but CFPB officials are already discussing how it might be set up, Reuters reported.

“Credit reporting firms oppose the move, saying they are already working to provide fair and affordable credit to all consumers,” Reuters wrote. “A public credit bureau would be bad for consumers because it would expand the government’s power in an inappropriate way and its goals would shift with political winds, the Consumer Data Industry Association (CDIA), which represents private rating firms, said in a statement.”

A public credit bureau is likely to meet fierce resistance from the Congress’s most generous constituents — the banking industry — which detests rapid change and is heavily reliant on the credit bureaus.

And there is a preview of that fight going on right now over the bipartisan American Data Privacy and Protection Act, which The Hill described as one of the most lobbied bills in Congress. The idea behind the bill is that companies can’t collect any more information from you than they need to provide you with the service you’re seeking.

“The bipartisan bill, which represents a breakthrough for lawmakers after years of negotiations, would restrict the kind of data companies can collect from online users and the ways they can use that data,” The Hill reported Aug. 3. “Its provisions would impact companies in every consumer-centric industry — including retailers, e-commerce giants, telecoms, credit card companies and tech firms — that compile massive amounts of user data and rely on targeted ads to attract customers.”

According to the Electronic Frontier Foundation, a nonprofit digital rights group, the bill as drafted falls short in protecting consumers in several areas. For starters, it would override or preempt many kinds of state privacy laws. The EFF argues the bill also would block the Federal Communications Commission (FCC) from enforcing federal privacy laws that now apply to cable and satellite TV, and that consumers should still be allowed to sue companies that violate their privacy.

A copy of the class action complaint against Experian is available here (PDF).

63 thoughts on “Class Action Targets Experian Over Account Security

  1. JamminJ

    “…without first verifying that the existing account holder authorized the changes violates the”

    Brian, looks like it’s missing the last part of that sentence.

    1. Honestly

      Celebrating a super minor nothing pun in a headline and playing imposter again?
      It’s no wonder you want to be other people JJ. If this is your best life I feel for you.

      1. Honestly

        And its JamminJ impersonating for victimstance by a nose!

  2. B Matrana

    I don’t know what I did/answered that was “wrong” — IMHO – Equifax is the WORST of the big 3 credit bureaus.

    To remove a freeze on Equifax, I HAVE to call them — impossible to unfreeze online.

    I agree, the credit bureaus are not customer focused – they are $ focused for businesses.

    1. Lindy

      WE ARE NOT their customers. We are a commodity that they never had to buy, companies just GAVE them all our info over time…. and they make a fortune charging banks, etc . …selling them all our info. They don’t care in the business is legit or not, as long as they are paying the fees. If they don’t have you in their records you can’t get a credit card, buy a house or car… even employers are using credit bureaus….
      All three should be sued for stealing our info. But… it’s not much different from what Amazon, Facebook and others do to us on the net. sigh….
      Thanks, Brian, for keeping us informed.

      1. Ja

        I agree these are private business that are the absolute worst they are pumping the world. I had a house listed on my credit report while actually homeless.

    1. Lindy

      Absolutely…. all of them…they are grifters.

  3. Martin P.

    Equifax = Worst “legal” personal hacking company.

    1. Martin P.

      Woops… Should have been:

      Equifax = Worst “legal” personal information hacking company.

  4. Martin P.

    Woops… Should have been:

    Equifax = Worst “legal” personal information hacking company.

  5. Dennis

    People, come down. You are all a product and not a customer. And products can’t complain. This sh*t will continue as long as these leech agencies are allowed to sell our data without our opt-in consent.

  6. G.Scott H.

    They are using security measures that obviously cannot be discussed publicly. So they are using “Security through Obscurity” which means the security measure only works as long as nobody else knows about it.

    They reference layers as well, but if the layers mostly depend on obscurity they will be figured out and fail. Proper implementation of layers is also critical to the overall security. One improper layer implementation could negate multiple otherwise effective layers which in the worse case can reduce the effective layer count to zero. It seems Experian may have achieved that.

    I’d hate to see their implementation of multi-factor authentication if they cannot get basic authentication right.

    Because of the situation, they must have external requirements to force them to properly implement proper security for the information they hold on all of us. They already had to be forced decades ago to improve the accuracy of information because they had no incentive to do it on their own but it affected anybody seeking credit, or insurance, or utility service, or a job, or who knows what else may be decided is a good use.

  7. G.Scott H.

    You do not own the data/information about you. It is owned by the entity that collected it. They can then do with it as they please. There are some restrictions that have been put in place, but not much, and only after particular harms were realised, and only after each harm was realised, and only after enough people/voters/constituents demanded something be done.

    So much information is collected about individuals which is never intended to help the individual only the collector.

  8. Jim B

    The only real solution starts with revoking Experian’s corporate charter.

    1. mealy

      With major side eye with conveniently placed microscope at the other two.
      And why are there three, this holy trinity of private credit bureau’ing is sanctified?

  9. Some guy on the Internet

    OK, so we as individuals should still establish accounts at the credit reporting agencies, and use those accounts to freeze our credit reporting, without (of course) paying a penny.

    This will not, IMHO, increase the likelihood that s.o. will create an account in our name. As long as our computing devices and our home networks are not themselves compromised. Is that correct?

    And we as individuals should regularly sign in to those accounts and ensure that our login credentials have not changed and the freezes are still on. If we need to re-establish access to our accounts, and freeze them again, well, I guess that’s an onerous but possible task.

    What message(s) should we send, to what federal office holders, to change the laws or regulations regarding this? Are there state officials who can help with this?

  10. Larry a wannabe tech guy

    @B Matrana
    Not to be a smart ass, but “Credit bureaus do not view consumers as customers, who are instead the product that is being sold to third party companies”.
    They ARE customer focused. The “third party companies” are the customers.

  11. James Reed

    Brian, thank you! You are providing an invaluable service to Americans. We are sincerely grateful!

  12. shawn

    Equifax recently notified me that my email and a psswd were discovered as part of a hacked site & data set. I use my email across many sites, and could not guess which was compromised. I called for that info so I could change the psswd, but even after I verified my identity to them the service agents cited policy and refused to tell me the specific site. Do they expect me to change the respective psswd for each of what might be 100 sites? Insane business practices.

    1. David L.

      You can use the website to determine which hack, if any, exposed your email address.

      1. an_n

        Those are from known breaches and they work backwards.

    2. Anita Wright

      This whole thing is terrifying..these people out on the web knows everything about you where you live and knows what you look like ,.and you me know nothing about them… very.terrifying

  13. Matt

    I was a victim of this, only I never had an account. Someone created one as if they were me, giving them full access to my credit report. What I want to know is how I can join the class action lawsuit?

  14. K A

    I don’t like our litigious society. But Experian is a poster child for corporations that won’t do the right thing until they are caught – and punished – hard! The one thing I’d like to see in this case is actual jail time for the execs when found guilty.

  15. Jim

    Equifax allowed the hack of the personal information of 140 million plus Americans in 2017 including me and my spouse. From what I can tell they suffered no real consequence for that and we are left to do the best we can to protect our identity for the rest of our lives. Even the pitiful offer of credit monitoring was only for a year. Anyone who thinks government regulation is unnecessary is incredibly naive.

  16. Charles D Weis

    While the credit bureaus should improve, the worst possible solution is getting the government involved, leading to a Chinese style “social credit” system. Be careful what you wish for.

  17. gary

    Most ALL organizations have a motto ” greed, power and vanity”

  18. Ebony Chisholm

    Same here i was able to sign up with a different email address to get access to my account..

  19. Kris Wilhelm

    I have a problem with Capital One that is Experian, were my account was compromised. Capital One did nothing to fix it. I had to cancel my credit card. I couldn’t access my account because someone added their own information. They changed everything my email address and everything to access my account. They even added another bank to my Capital One card. I notified them right away nothing happened. I even asked for a new card number they said there was a restriction on it they couldn’t left it off. I am still in dispute with them.

  20. Hosedsumer

    Pity, we the poor “consumers,” who are are always told to suck up to these lame companies because THEY proclaim whether we’re creditworthy beings. Meanwhile they hose up our data, lose it, then piously offer us “protection” from the problems they caused; simultaneously shoveling our data out the side door for big bucks. It a fair world, THEY would be the ones held to account. Their credit is shot.

  21. Constance Seiler

    OMG ….my account was hacked 3 years ago and I received a letter from Expirne stating that account was hacked about 2 weeks AFTER the hack….by that time I was cleaned out of EVERYTHING!!!
    I WAS HOMELESS because of it.
    My Social Security and Unemployment was hacked as well!!

  22. I dunno, just asking questions

    So, is it still worthwhile to set up an account at Experian and freeze our credit?

    Would such a step increase our risk? Seeking opinions, please.

    1. BrianKrebs Post author

      Setting up accounts at the three major credit bureaus is a first start. Otherwise, you will likely only find out someone has claimed your identity after bad stuff starts happening. Placing a freeze on your file adds another layer of security that lets you decide when your credit file should be viewable by others.

  23. Mitch Berkson

    Could you explain how the Fair Credit Reporting Act gives a consumer standing to sue Experian? Despite the way the credit reporters and banks would like to frame the problem, it seems like it’s entirely a fraud perpetrated on the bank which only collaterally involves a consumer. So the banks should be suing Experian.

  24. Robert Scroggins

    It’s about time. Experian has been running roughshod over consumers for some time.

  25. Lindy

    I’ve got a personal story of how accurate the records are in these credit bureaus.

    I was having trouble getting in to one of them, so I finally requested a report to be sent to me to see what they had on me. There it was…. no wonder I could pass the test to get in…they had a former address as my EMPLOYER !!! Main Street, Station 2354 instead of the XYZ company. The address would have been 2354 Main Street. How they messed up so badly is anyone’s guess. After I sent in the corrections I was able to get into my account.

  26. George S

    Exact same thing happened to me with Experian. I received an email notifying me of an email address change. I no longer could access my account. I spent about an hour trying to g3t my email address reverted back. Once able to logged in, all of my details were changed!

Comments are closed.