If you haven't read it, there is a good news story at Bloomberg about a recent data breach that affected not only the credit union but a broader number consumers not affiliated with the credit union. The breach highlighs the fact that Identity criminals are smart and persisntent.
In this breach incident, they targeted Abilene Telco Federal Credit Union and stole the credit union's ID and passwords to its Experian account. Those stolen credentials allowed the thieves to access and steal 847 consumers' credit reports. The breach highlighted the fact that instead of attacking the credit reporting agencies directly, identity criminals target the companies and lenders (e.g., banks, credit unions, auto dealers) that often buy consumer credit reports.
In the United States, the three major credit reporting agencies are Experian, Equifax, and TransUnion. However, there are many regional and local credit reporting agencies. All credit reporting agencies make money by selling credit reports to potential lenders: banks, credit unions, auto dealers, clothing stores, and similar retailers that provide credit to consumers. However, the big-three credit unions also make money by operating credit monitoring services both for consumers and for client companies' post-breach response.
Bloomberg reported that this approach by identity thieves:
"... has netted more than 17,000 credit reports taken from the agencies since 2006... The incidents were outlined in correspondence from the credit bureaus to victims in six states — Maine, Maryland, New Hampshire, New Jersey, North Carolina and Vermont. The letters were discovered mostly through public-records requests by a privacy advocate... Experian’s database was breached 80 times for a total of almost 15,500 credit reports, Equifax’s was breached four times for more than 1,200 reports, and TransUnion’s was breached two times for almost 500 reports..."
You can learn about those breaches in this blog. If a credit reporting company can't adequately protect consumers' sensitive personal information, then they don't deserve to be in business. It's that simple. And:
- Client companies like the Abilene Telco Federal Credit Union, that allegedly fail to adequately protect sensitive data, should pay some (or all) of the post-breach management costs for all affected consumers
- Credit reporting agencies should include mandatory, yearly data security training for their client users
What's your opinion?