I've Been Mugged: Data Breach Raises Questions About Whether Credit Reporting Agencies Can Adequately Protect Consumer Data

Tuesday, October 30, 2012

Data Breach Raises Questions About Whether Credit Reporting Agencies Can Adequately Protect Consumer Data

If you haven't read it, there is a good news story at Bloomberg about a recent data breach that affected not only the credit union but a broader number consumers not affiliated with the credit union. The breach highlighs the fact that Identity criminals are smart and persisntent.

In this breach incident, they targeted Abilene Telco Federal Credit Union and stole the credit union's ID and passwords to its Experian account. Those stolen credentials allowed the thieves to access and steal 847 consumers' credit reports. The breach highlighted the fact that instead of attacking the credit reporting agencies directly, identity criminals target the companies and lenders (e.g., banks, credit unions, auto dealers) that often buy consumer credit reports.

In the United States, the three major credit reporting agencies are Experian, Equifax, and TransUnion. However, there are many regional and local credit reporting agencies. All credit reporting agencies make money by selling credit reports to potential lenders: banks, credit unions, auto dealers, clothing stores, and similar retailers that provide credit to consumers. However, the big-three credit unions also make money by operating credit monitoring services both for consumers and for client companies' post-breach response.

Bloomberg reported that this approach by identity thieves:

"... has netted more than 17,000 credit reports taken from the agencies since 2006... The incidents were outlined in correspondence from the credit bureaus to victims in six states — Maine, Maryland, New Hampshire, New Jersey, North Carolina and Vermont. The letters were discovered mostly through public-records requests by a privacy advocate... Experian’s database was breached 80 times for a total of almost 15,500 credit reports, Equifax’s was breached four times for more than 1,200 reports, and TransUnion’s was breached two times for almost 500 reports..."

You can learn about those breaches in this blog. If a credit reporting company can't adequately protect consumers' sensitive personal information, then they don't deserve to be in business. It's that simple. And:

Client companies like the Abilene Telco Federal Credit Union, that allegedly fail to adequately protect sensitive data, should pay some (or all) of the post-breach management costs for all affected consumers
Credit reporting agencies should include mandatory, yearly data security training for their client users

What's your opinion?

Posted on Tuesday, October 30, 2012 at 08:58 AM in Corporate Responsibility, Credit Reporting Agencies, Data Breaches | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e008d035db8834017d3d176932970c

Listed below are links to weblogs that reference Data Breach Raises Questions About Whether Credit Reporting Agencies Can Adequately Protect Consumer Data:

Comments

You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by: |

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:

Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.