January 9, 2023

Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report. All that was needed was the person’s name, address, birthday and Social Security number.

The vulnerability in Experian’s website was exploitable after one applied to see their credit file via annualcreditreport.com.

In December, KrebsOnSecurity heard from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to the cashing out of compromised identities.

“I want to try and help to put a stop to it and make it more difficult for [ID thieves] to access, since [Experian is] not doing shit and regular people struggle,” Kushnir wrote in an email to KrebsOnSecurity explaining his motivations for reaching out. “If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others.”

Kushnir said the crooks learned they could trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.

Following Kushnir’s instructions, I sought a copy of my credit report from Experian via annualcreditreport.com — a website that is required to provide all Americans with a free copy of their credit report from each of the three major reporting bureaus, once per year.

Annualcreditreport.com begins by asking for your name, address, SSN and birthday. After I supplied that and told Annualcreditreport.com I wanted my report from Experian, I was taken to Experian.com to complete the identity verification process.

Normally at this point, Experian’s website would present four or five multiple-guess questions, such as “Which of the following addresses have you lived at?”

Kushnir told me that when the questions page loads, you simply change the last part of the URL from “/acr/oow/” to “/acr/report,” and the site would display the consumer’s full credit report.

But when I tried to get my report from Experian via annualcreditreport.com, Experian’s website said it didn’t have enough information to validate my identity. It wouldn’t even show me the four multiple-guess questions. Experian said I had three options for a free credit report at this point: Mail a request along with identity documents, call a phone number for Experian, or upload proof of identity via the website.

But that didn’t stop Experian from showing me my full credit report after I changed the Experian URL as Kushnir had instructed — modifying the error page’s trailing URL from “/acr/OcwError” to simply “/acr/report”.

Experian’s website then immediately displayed my entire credit file.

Even though Experian said it couldn’t tell that I was actually me, it still coughed up my report. And thank goodness it did. The report contains so many errors that it’s probably going to take a good deal of effort on my part to straighten out.

Now I know why Experian has NEVER let me view my own file via their website. For example, there were four phone numbers on my Experian credit file: Only one of them was mine, and that one hasn’t been mine for ages.

I was so dumbfounded by Experian’s incompetence that I asked a close friend and trusted security source to try the method on her identity file at Experian. Sure enough, when she got to the part where Experian asked questions, changing the last part of the URL in her address bar to “/report” bypassed the questions and immediately displayed her full credit report. Her report also was replete with errors.

KrebsOnSecurity shared Kushnir’s findings with Experian on Dec. 23, 2022. On Dec. 27, 2022, Experian’s PR team acknowledged receipt of my Dec. 23 notification, but the company has so far ignored multiple requests for comment or clarification.

By the time Experian confirmed receipt of my report, the “exploit” Kushnir said he learned from the identity thieves on Telegram had been patched and no longer worked. But it remains unclear how long Experian’s website was making it so easy to access anyone’s credit report.

In response to information shared by KrebsOnSecurity, Senator Ron Wyden (D-Ore.) said he was disappointed — but not at all surprised — to hear about yet another cybersecurity lapse at Experian.

“The credit bureaus are poorly regulated, act as if they are above the law and have thumbed their noses at Congressional oversight,” Wyden said in a written statement. “Just last year, Experian ignored repeated briefing requests from my office after you revealed another cybersecurity lapse the company.”

Sen. Wyden’s quote above references a story published here in July 2022, which broke the news that identity thieves were hijacking consumer accounts at Experian.com just by signing up as them at Experian once more, supplying the target’s static, personal information (name, DoB/SSN, address) but a different email address.

From interviews with multiple victims who contacted KrebsOnSecurity after that story, it emerged that Experian’s own customer support representatives were actually telling consumers who got locked out of their Experian accounts to recreate their accounts using their personal information and a new email address. This was Experian’s advice even for people who’d just explained that this method was what identity thieves had used to lock them in out in the first place.

Clearly, Experian found it simpler to respond this way, rather than acknowledging the problem and addressing the root causes (lazy authentication and abhorrent account recovery practices). It’s also worth mentioning that reports of hijacked Experian.com accounts persisted into late 2022. That screw-up has since prompted a class action lawsuit against Experian.

Sen. Wyden said the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) need to do much more to protect Americans from screw-ups by the credit bureaus.

“If they don’t believe they have the authority to do so, they should endorse legislation like my Mind Your Own Business Act, which gives the FTC power to set tough mandatory cybersecurity standards for companies like Experian,” Wyden said.

Sadly, none of this is terribly shocking behavior for Experian, which has shown itself a completely negligent custodian of obscene amounts of highly sensitive consumer information.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

It’s bad enough that we can’t really opt out of companies like Experian making $2.6 billion each quarter collecting and selling gobs of our personal and financial information. But there has to be some meaningful accountability when these monopolistic companies engage in negligent and reckless behavior with the very same consumer data that feeds their quarterly profits. Or when security and privacy shortcuts are found to be intentional, like for cost-saving reasons.

And as we saw with Equifax’s consolidated class-action settlement in response to letting state-sponsored hackers from China steal data on nearly 150 million Americans back in 2017, class-actions and more laughable “free credit monitoring” services from the very same companies that created the problem aren’t going to cut it.

WHAT CAN YOU DO?

It is easy to adopt a defeatist attitude with the credit bureaus, who often foul things up royally even for consumers who are quite diligent about watching their consumer credit files and disputing any inaccuracies.

But there are some concrete steps that everyone can take which will dramatically lower the risk that identity thieves will ruin your financial future. And happily, most of these steps have the side benefit of costing the credit bureaus money, or at least causing the data they collect about you to become less valuable over time.

The first step is awareness. Find out what these companies are saying about you behind your back. Keep in mind that — fair or not — your credit score as collectively determined by these bureaus can affect whether you get that loan, apartment, or job. In that context, even small, unintentional errors that are unrelated to identity theft can have outsized consequences for consumers down the road.

Each bureau is required to provide a free copy of your credit report every year. The easiest way to get yours is through annualcreditreport.com.

Some consumers report that this site never works for them, and that each bureau will insist they don’t have enough information to provide a report. I am definitely in this camp. Thankfully, a financial institution that I already have a relationship with offers the ability to view your credit file through them. Your mileage on this front may vary, and you may end up having to send copies of your identity documents through the mail or website.

When you get your report, look for anything that isn’t yours, and then document and file a dispute with the corresponding credit bureau. And after you’ve reviewed your report, set a calendar reminder to recur every four months, reminding you it’s time to get another free copy of your credit file.

If you haven’t already done so, consider making 2023 the year that you freeze your credit files at the three major reporting bureaus, including Experian, Equifax and TransUnion. It is now free to people in all 50 U.S. states to place a security freeze on their credit files. It is also free to do this for your partner and/or your dependents.

Freezing your credit means no one who doesn’t already have a financial relationship with you can view your credit file, making it unlikely that potential creditors will grant new lines of credit in your name to identity thieves. Freezing your credit file also means Experian and its brethren can no longer sell peeks at your credit history to others.

Anytime you wish to apply for new credit or a new job, or open an account at a utility or communications provider, you can quickly thaw a freeze on your credit file, and set it to freeze automatically again after a specified length of time.

Please don’t confuse a credit freeze (a.k.a. “security freeze”) with the alternative that the bureaus will likely steer you towards when you ask for a freeze: “Credit lock” services.

The bureaus pitch these credit lock services as a way for consumers to easily toggle their credit file availability with push of a button on a mobile app, but they do little to prevent the bureaus from continuing to sell your information to others.

My advice: Ignore the lock services, and just freeze your credit files already.

One final note. Frequent readers here will have noticed that I’ve criticized these so-called “knowledge-based authentication” or KBA questions that Experian’s website failed to ask as part of its consumer verification process.

KrebsOnSecurity has long assailed KBA as weak authentication because the questions and answers are drawn largely from consumer records that are public and easily accessible to organized identity theft groups.

That said, given that these KBA questions appear to be the ONLY thing standing between me and my Experian credit report, it seems like maybe they should at least take care to ensure that those questions actually get asked.


77 thoughts on “Identity Thieves Bypassed Experian Security to View Credit Reports

  1. Patrick Harbauer

    What’s also very irritating is that Experian and Equifax offer no option for MFA when logging in to their website. That’s bare bones security that these credit bureaus should all be required to offer.

    Reply
    1. Robert.Walter

      Agreed.

      So many sites out there that still depend on SMS text PIN or email which could instead offer TOTP authentication (built for free into iOS iCloud Keychain’s password manager.)

      Reply
  2. James

    Experian is so untrustworthy, that I simply freeze my report there and never thaw it. When I am applying for something, the company running my credit will eventually get a report from one of the other two bureaus. The last time I purchased something that required a credit check, I received a couple of letters a few weeks later telling me that they were unable to offer me credit as a result of not getting my data. I had no issue making the purchase and I was paired up with a company that doesn’t rely on Experian. I consider it a win-win. Experian didn’t get my business and neither did companies that use them.

    Reply
    1. Barry

      Seems to me like whenever a company needs credit info on me they ALWAYS use Experian. I immediately ask if they use a different credit bureau (preferably TU), but they usually reply they only use Experian & I tell the company that Experian is the WORST of the 3 major credit bureaus.

      Reply
      1. Barry

        My bad (I mentioned Experian) — seems a lot of companies use Equifax which I feel is the WORST of the big 3.

        Reply
      2. Barry

        My bad (I mentioned Experian) — I meant Equifax seems to be used by many credit info needing companies — my feeling is that Equifax is the worst to do “business” with.
        Of the big 3, I’ve had the best luck with TU.

        Reply
        1. Jeffrey Minner

          I feel the same way. Trans Union is the easiest to use and it’s my best report. Equifax is absolutely horrible to deal with and will not fix anything because it means more money for them. I hate them. Experian is the most popular credit bureau as far as companies that use them for credit pulls.

          Reply
  3. Alexandra

    Please feel free to use this template…
    Dear [Senator/Representative name here],
    I want to alert you to a report today by the respected security researcher Brian Krebs (link below to his report). The credit reporting bureau Experian is allowing identity thieves easy access to consumer’s private data. This is egregious and not the first time that Experian has had glaring security lapses. I see that Sen. Wyden has commented on this latest issue, but I am hoping YOU will call Experian out for their cavalier handling of our data.
    https://krebsonsecurity.com/2023/01/identity-thieves-bypassed-experian-security-to-view-credit-reports/
    Thank you,
    [Your constituent name here]

    Reply
  4. Chris Holland

    AnnualCreditReport.com has never worked for myself or anyone that I’ve talked to. Every single time it says that it can’t validate you.

    However, when you provide exactly the same information to the three credit bureaus to pay for a report, you’re provided with instant, no fuss access.

    This entirely intentional situation constitutes many millions of counts of interstate wire and/or mail fraud every year. Perhaps one or two of the displaced agents from the FBI’s recently disbanded Twitter Liason Team could do something useful for a change?

    Reply
    1. mealy

      I’ve used ACR three or four times, not recently but maybe a few years ago without issue.
      I was able to get reports from all three bureaus. I’ll try again now and see if something’s changed.

      Reply
    2. Edgar Alley

      If you’re using a VPN, try it with the VPN deactivated. I had the same problem with annualcreditreport.com until I tried it without my VPN.

      Reply
  5. Robert.Walter

    Despite credit freezes at the big and small bureaus, a couple of years ago my mother was the victim of identity theft through a Verizon store.

    This dinged her FICO for a short while.

    Even after I got that cleaned up, it was impossible to remove the address where the thieves lived from mom’s credit report.

    When we are confronted by KBA questions, we now use this address as if it were one of mom’s otherwise we fail and have to repeat the process.

    Where this breaks down is when they ask other questions related to the thief, like what is your car, or mortgage, etc. since we have no insight into that we can’t answer those questions successfully and fail.

    I assume one day we won’t be able to succeed because the KBA questions expect bogus answers.

    Good thing mom is 90 and, despite being fully online and paperless, doesn’t need to verify like this very often.

    Reply
  6. Robert.Walter

    I’d also like to add TransUnion to the KoS hall of shame.

    For going on 5 years, it is not possible to update either username or challenge answer without getting this fail:

    “We are temporarily unable to complete your request.Looks like we are experiencing a problem on our end.”

    Reply
  7. Mahhn

    As I have never given them permission to have my information, there nothing I could do about it if they do have it. Not like they will delete it or stop selling it.
    How do the credit burros (not part of government) even harvest our info in the first place- Who/what is giving our data to these companies that provide it to crooks? Can we shut them down?

    Reply
    1. Stephen Davis

      Aside from public records, the banks, finance companies, retailers, lease management, debt collection, and every other company routinely using your information through these agencies are also providing updated information back to them.

      Reply
    2. security vet

      …please tell me the law that requires you to give them permission…

      …when someone (like you) applies for credit (any credit, cell account, roofing, etc.) your data goes into the big 3 to see if you’ll pay the bill…

      Reply
  8. afsdf

    Does it really matter? They already have your SSN, theyre not learning much they probably dont already know.

    Reply
    1. Yes, it matters.

      Yes, it matters, because they can use information from your profile to open NEW accounts under your name and get loans or credit lines extended to them at new locations while footing you with the bill and ultimately the default when they don’t pay the loan as agreed. Now you’re responsible for paying off some loan in a different state that you didn’t take out and have to deal with the headache of proving it wasn’t you that did it.

      Reply
  9. Jenya Kushnir

    Hello
    My name is Jenya Kushnir I am the one who found this bug
    I have tried to contact Experian my self to let them know they have big problem but like always got bs run around and clear response, after they I have tried to find a bug bounty program to see if I can submit a report but find out later that they don’t do this kind of programs, it’s really bad as I think I who’d helped a lot. So what I did next is contacted Brian and told him what I have four spoiler there is also major problem with Transunion also bigger than Experian.

    It’s really hard right now here with the whole War going, power blackouts and everything else, don’t want to sound petty but if some one can help out, really who’d appreciated with donations

    I who’d use this to buy upgrade my gear, buy a power generator and maybe a starlink so I can do more research’s and try to help stop and make harder for identity thieves

    Thank you Brian for sharing this story and everyone who reads this

    ВТС – bc1qfeq4hfclexv0y4hx7updzt0pnm7pu38zk0g40e

    ETH – 0x43D09322cc162D1C4FaeB674398262bf9415A66F

    TRON – TXagnv8eFH7rj6f5vq9ramTGSVcQbY7ipG

    USDT TRC20 – TXagnv8eFH7rj6f5vq9ramTGSVcQbY7ipG

    USDT ERC20 – 0x43D09322cc162D1C4FaeB674398262bf9415A66F

    Reply
    1. Phil

      Kickstarter or GoFundMe might get better results for you than here on this comments section. You would reach a much wider audience, and I am certain that you will get better funding that way. Using altcoin is a overly complicated method for requesting donations, you will get a lot fewer donations with that method

      Reply
      1. Jenya Kushnir

        Hello, Phil
        Thank you, for your response but unfortunately this two options is not available for me since I am in Ukraine

        Reply
  10. Jonas Smithson

    Regarding knowledge based authentication: I recently tried to set up a link between a major mutual fund and my bank account. It turned into a month-long nightmare because they bombarded me with questions about jobs I never heard of, places I had never lived in, and all kinds of information that had nothing to do with me. I still have no idea where all those completely wrong questions came from.

    Reply
  11. vaadu

    Is there a simple way to verify your accounts are frozen, get notified if unfrozen and who/when anyone made a request to see my data?

    Reply
    1. Arul

      I did got alert email from all 3 bureaus when I unfreeze my report for credit pull. To be clear, this is when I logged in to each of the bureau website to disable the freeze… I am not sure it would generate the email if a fraudster/criminal did that exploiting a security hole (Experian seem to have a lot).

      Reply
    2. Arul

      I got an alert email from all 3 bureaus when I unfreeze my reports for a credit pull to go through. To be clear, I logged into each of the site and manually disabled the freeze… I am not sure the same alert emails will be generated if a criminal does the same using an security exploit which Experian seem to have a lot 🙂

      Reply
  12. Chris

    If anyone is driving a (class action) lawsuit against Experian, please let me know. There has been substantive damage from this loophole and I’m happy to support with data.

    Reply
  13. Bill

    I pay $20 / month to Experian so I can easily look at all my credit information. To login, all they require is my login name and password, NO MFA of any kind. I have pointed this out to the robotic people who answer the phone and they are ambivalent about this. I should mention that they make if rudely difficult to speak to someone and like so many businesses want you to use the automated system to answer any questions.

    Reply
  14. Joshua Stein

    Beyond absurd. These companies will never learn nor I think will they ever truly be held accountable. Another bad story: years ago I was able to login to Barclays without a user name and password and using a form they had on their website that asked for SSN, I was fully logged into the account, not even a password reset involved. Who knows if that was ever fixed, I reported it to a security executive there, never heard back, and I never did business with them again.

    Reply
  15. Hans Hug

    Another thing Consumers REALLY need to pay attention to is this: These companies try their best to force Consumers to use the Internet to download their files. Bad idea because, besides a host of things some of them want you to agree to when using their website for file access but BEFORE they give you your data, is a requirement that you agree to arbitration. Huh? I have to forfeit the right to sue simply to get a copy of what State & Federal law states clearly is my right to have? YES.

    And there are other requirements you must agree to if you read the Agreement-sometimes called a EULA. I have the LexisNexis Agreement in front of me now although I have NO intention of going along with their demands among other things, while not clearly stating arbitration is required they do demand that any legal action takes place in Georgia.

    Lastly I am confident but not positive that Equifax manages data for LexisNexis, which would explain why LexisNexis is a mess (they all are as we know). READ the Agreement FIRST! So I ALWAYS get my file in a paper format, mailed to me-and they don’t like that at all.,

    Reply
  16. Andrew Rossetti

    Froze my credit at all 4 (I also froze my credit report at Innovis just in case) back in 2016 and have never looked back. Working in financial services, I recommend this to everyone who asks what can be done to help thwart identify theft and fraud. Thanks, Brian, for staying on top of this topic!

    Reply
    1. Chris N

      There are 5 main bureaus, not 4. There is also ChexSystems that is the bureau used by banks and financial institutions.

      Experian
      Equifax
      TransUnion
      Innovis
      Sagestream/Lexis Nexus
      ChexSystems

      Reply
      1. Larry Kahm

        Just looked at the Sagestream/Lexis Nexus site, which says

        All security freezes that are requested through this portal will only be in place at LexisNexis Risk Solutions and SageStream and not other credit reporting agencies. For example, the security freeze will not be in place at TransUnion, Equifax or Experian, Innovis or others.

        Nice! /s

        Reply
    2. Barry

      Unfortunately, freezing didn’t seem to help Julio D
      (see his comment in this thread).

      Reply
  17. Tim

    What can you do when majority of these CISOs are dumbos with MBA or unrelated background. No security engineering background. You think they can hire smart engineers to ensure services are secure? Smart ones want to work for smart bosses who knows cybersecurity.
    On top, most of such development work is outsourced to cheap labor countries.

    And Americans must feel secure?

    Reply
  18. bill

    The KBA questions from Equifax are bogus (for me), stuff that I’ve never done, and there’s no way to fix it. Problem is that other companies also (buy?) these questions from Equifax. Don’t these reports have full credit card numbers in them? Can’t that cause some damage?

    Reply
  19. Ronda

    Yes, I have these issues as well. They won’t let me log in to see my reports. They ask questions that I don’t have answers too. I’ve only been able to view mine thru Credit Karma and my bank and credit card sites. I can’t dispute wrong info either for the same reason. Its ridiculous and definitely not right. I’ve been turned down for credit due to wrong info as well. Prior to not being able to log in anymore, I disputed several things to be later told they were legit, when I know they were not. I literally had to wait till they fell off my reports 7-10 years later. Hopefully something is done soon to stop these things from happening as it has affected me for years.

    Reply
  20. Reshonda Gaiters

    Just recently I found out that my info was on the Dark Web and I’ve been trying to tlk to a human but keep getting the computer and one minute my credit was going up and now it’s going down,my prepaid cards are not wrk’n or no good. I need this issue to be resolved ASAP. THANK YOU
    Reshonda Gaiters

    Reply
  21. Bill

    I am not surprised by the actions (or lack of action) of the credit bureaus when it comes to cybersecurity. I use a free credit monitor service and check it regularly.

    One a note for KBA’s, one way to help reduce the ability to guess your security questions is to create an answer soo absurd no one could guess it. So, for example if asked favorite color you could say something like Cherry Ice cream or River running through house. Then document these security questions in your password manager. Anything you can do to make it harder for the bad actors is worth the effort.

    Reply
    1. BrianKrebs Post author

      Bill, I think you might be confusing security questions with knowledge-based authentication questions (KBA). The former you usually get to chose the answer, if not also the questions you have to answer. With KBA, both the questions and the answers are outside of your control.

      Reply
      1. John

        Just treat KBA as another random password (or string of random passwords). Just remember to store them in your local password safe utility with the questions

        Reply
    2. M

      Since I was a child, I have never answered a security question with the actual social engineerable answer. I have always done a salted password type answer.

      Reply
  22. Julio Denmun

    My identity was compromised on the 2017 Equifax. (Long history) since then my credit are frozen for the 3 major bureaus.
    in September 2022 I got a letter in the mail (USPS) from Experian letting me know that my credit has been unfrozen from September to December 2022, it took almost 10 days for me to get the letter and in that time the fraudsters attacked my credit, changing all information on my credit cards and requesting new cards to be sent to them…when I called Experian to get and explanation they took advantage of my desperation and tried to sell me protection subscriptions, what a disgusting people. I learn a lot from this experience, I notice that these 3 bureaus had no security on the perimeter of their organization, a fraudster that have a SSN, DOB and Address can call and exploit the automated phone system to change all information even the fraud alert message, they put their own phone number, and as many people mentioned there is no 2FA, you’ll be surprised also that most credit card companies are the same, some you can’t even stablish a secret questions to ask when someone calls. you’ll be surprised how financial companies handle fraud, no teamwork, no organization, no common sense, the ping numbers can be easily change over the phone, the automated phone system is their weak point on their security.
    I’m still recovery for my ordeal in September, I also will be a part of class action lawsuit.

    Reply
  23. Penn Rettig

    WELL, I did a CREDIT FREEZE with all 3 bureaus (I like the spelling one commenter had – Burros!)
    When it came time to do a refi to 2% mortgage- Experian would not open it back up- based on some cockamame excuse. Not enough info yada yada. Clearly more of their ineptitude. I’m not usually a Ron “Lizard” Wyden fan, but on this He gets my hearty approval and thanks.

    There is no security or privacy anymore. I just try not to be low hanging fruit.
    Oh and Life lock? My daughters wallet was stolen in LA – When I called Life lock (she was covered individually) all they did is told me to call the bank and credit card companys which I had already done.
    Dire Straits said it best “Money for Nothin”

    Reply
  24. Disgusted-mountain-view

    I discovered that the only way to get into my account was to say one or more of the actually incorrect pieces of info was the correct answer. I still can’t correct it though. Like everyone else I am getting the runaround from a greedy set of companies who, regardless of their bleatings about “security being important”, have no intention of correcting anything.
    A fine of 20% of wordlwide revenue (as in GDPR sanctions), plus individual damages to all of us affected, seems appropriate for this level of egregiousness.

    Reply
  25. Julie

    Thank you for sharing. I tried logging in to my Experian account last week and when I couldn’t get in, I decided to have them confirm my email login – that’s when I discovered that someone has changed the email account to one that is NOT mine. I was never notified
    I did some research and found your July article talking about this very issue but I was unable to create a new account. And like you, I was able to access my credit report and I took found incorrect information on my report which I cannot dispute because I don’t have access to my account. I was a victim of fraud almost 3 years to the day that I discovered this Experian issue and have now spent $17 on certified mail and return receipt to confirm that Experian receives the proof I was required to send to them via mail because it’s impossible to talk to a real person. I have also logged a report with the Consumer Financial Protection Bureau and with my state’s Attorney General. The Federal Trade Commission is next on my list. It’s terrible to feel powerless over my personal information – the hackers and Experian have more control than I do.
    Thank you for these articles – I don’t wish this on anyone but I must say it’s good to know I’m not alone

    Reply
  26. Barry

    Brian, I was cruising along accepting what you were saying until I saw your comment “Freezing your credit file also means Experian and its brethren can no longer sell peeks at your credit history to others.”
    That caught my attention — Experian has screwed everything else up, how would/could we know they’re not selling frozen info ?
    Then I saw Julio D’s earlier reply/comment — looks like Experian was unfreezing Julio’s frozen account to fraudsters ?

    Reply
    1. timeless

      The ability to freeze credit reports was implemented via state law [1] including civil penalties for violations.
      California’s [2] law includes a $2,500 civil action penalty (+attorney’s fees).

      It’s possible there are other things. It wouldn’t shock me if there was a way to use mail fraud law to go after them if they broke these freeze laws as well.

      [1] https://advocacy.consumerreports.org/research/state_security_freeze_laws/

      [2] http://web.archive.org/web/20121004035825/http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1785.10-1785.19.5%20

      Reply
  27. Jon

    The website never works for me. I usually use the phone interface, like grandma does.

    They have my report with mixed information for a few other people, which is strange, since I’m related to everyone in the USA with my last name and there are only 2 with the same first/last name (different middle initial) and we live on opposite sides of the country and never lived anywhere near each other, never worked in the same industry or company and have 20 yrs age difference.
    The level of incompetence that is required to mix the records is awe-inspiring. I suspect part of the problem is that I pulled all my information off the internet and haven’t had a phone since 2000 with my name connected. Cell phone is cash-PAYGO and we use VoIP at home connecting to a company outside the USA – good for the NSA, bad for corporate tracking.

    The credit reporting companies need a nationwide class action lawsuit for holding and selling our information without our written approval. Just need for privacy laws to catch up to hold all companies hold private information without our written approval with real teeth, like $1000 per leak, per incident. It would be too costly for them to have any leaks, so they’d actually take steps to properly protect the stolen information.

    Reply
  28. Jake the Dog

    I continue to be amazed that anyone would recommend any of the 3 (4) credit agencies for credit monitoring…And I would suspect that by recommending victims of identity theft breaches avail themselves of such credit monitoring services, the recommending class action teams might be legally at risk, knowing they put the CA victims at the mercy of companies that might be considered as aiding and abetting further ID thefts. Hmm? Think we need government regulation on these companies?

    And more worrisome is Krebs reporting on the significant number of errors he found on his report, and Experian’s intransigence in repairing the report. Any regular citizen replying on accurate reports to obtain credit must waste time and effort to force these agencies to provide products that they “proudly” advertise as serving the public good.

    If it were up to me, I’d put a class action together based on damages and cost that every user of Experian credit services and products falsely assumed was protecting their individual data risk. Of course, once you’ve been a victim of identity theft, the horse is out of the barn. You can’t get a new SSN unless you go into witness protection. Data brokers and aggregators must be held to legally liable standards

    Reply

Leave a Reply

Your email address will not be published.