When hackers broke into computers at Abilene Telco Federal Credit Union last year, they gained access to sensitive financial information on people from far beyond the bank’s home in west-central Texas.
The cyberthieves broke into an employee’s computer in September 2011 and stole the password for the bank’s online account with Experian Plc, the credit reporting agency with data on more than 740 million consumers. The intruders then downloaded credit reports on 847 people, said Dana Pardee, a branch manager at the bank. They took Social Security numbers, birthdates and detailed financial data on people across the country who had never done business with Abilene Telco, which has two locations and serves a city of 117,000.
The incident is one of 86 data breaches since 2006 that expose flaws in the way credit-reporting agencies protect their databases. Instead of directly targeting Experian, Equifax Inc. and TransUnion Corp., hackers are attacking affiliated businesses, such as banks, auto dealers and even a police department that rely on reporting agencies for background credit checks.
“This is profoundly important, because it illustrates a growing problem when it comes to data breaches and security –the chain is only as strong as its weakest link,” Senator Richard Blumenthal of Connecticut, a former attorney general who has investigated credit-rating agencies before, said in an interview. “If their customers have inadequate security practices, so do the credit bureaus.”
This approach has netted more than 17,000 credit reports taken from the agencies since 2006, according to Bloomberg.com’s examination of hundreds of pages of breach notification letters sent to victims. The incidents were outlined in correspondence from the credit bureaus to victims in six states — Maine, Maryland, New Hampshire, New Jersey, North Carolina and Vermont. The letters were discovered mostly through public-records requests by a privacy advocate who goes by the online pseudonym Dissent Doe and who asked not to be identified to preserve the separation between profession and advocacy.
Experian, based in Dublin, and Chicago-based TransUnion said in statements that the breaches began with infections of customers’ computers, an area over which they have little control. The credit bureaus said that their databases weren’t breached directly.
Tim Klein, a spokesman for Atlanta-based Equifax, and Clifton O’Neal, a spokesman for TransUnion, declined to comment on specific cases. Neither would provide details about any breaches they’ve had involving the compromised log-ins of clients.
“We continue to invest in the security systems we have in place to protect our clients and consumers,” Gerry Tschopp, a spokesman for Experian, said in an e-mailed statement. “Of course, the first line of defense lies with end users who are obligated to manage and protect their credentials, which in all these instances were compromised through malware that infected their hardware and other illegal means.”
Representatives of Abilene Telco said no bank employees were involved in the data breaches.
“We don’t know what happened and we don’t know how it happened — we just know we didn’t do it,” said Pardee, the branch manager at Abilene Telco, now renamed First Priority Credit Union, recalls telling victims who called the bank after discovering that someone had viewed their credit reports.
Experian’s database was breached 80 times for a total of almost 15,500 credit reports, Equifax’s was breached four times for more than 1,200 reports, and TransUnion’s was breached two times for almost 500 reports, according to the DataLossDB.org website, where Dissent Doe and other advocates have posted the documents. All of the incidents involved hackers stealing online log-in credentials from the credit bureaus’ customers.
The incidents shed new light on security weaknesses at credit bureaus at a time they are under investigation by both houses of Congress over how much data they collect and how it’s used. While security hasn’t been a focus of the probes, the breaches are cause for further investigation, Blumenthal said.
Dissent Doe has filed a complaint with the Federal Trade Commission, arguing for a formal investigation into Experian’s security practices and urging lawmakers to enact legislation that creates a national database of breach reports.
The FTC declined to comment specifically on the incidents. The agency has punished data brokers when hacking attacks on their customers led to the theft of credit reports. Last year, the FTC sued three credit-report resellers when compromised client log-ins resulted in more than 1,800 stolen reports. The agency also filed a lawsuit in 2008 against a mortgage lender after at least 400 credit reports were stolen.
Failure to Check
The commission faulted the companies for failing to check whether their customers had sufficient security and for not adequately monitoring suspicious behavior coming from them. The cases were settled, with the companies agreeing to 20 years of security audits.
“If you are providing access through an online portal, it’s your responsibility to secure that portal,” Maneesha Mithal, associate director of the FTC’s division of privacy and identity, said in an interview.
Credit reports are highly coveted in an identity theft industry that the U.S. Department of Justice estimates affected more than 8.6 million people and cost U.S. households $13.3 billion in direct financial losses in 2010.
When criminals steal a credit report, they get enough information to take out new credit cards, qualify for loans, get a driver’s license and even obtain medical treatment, according to Chris Jay Hoofnagle, director of information privacy programs for the Berkeley Center for Law & Technology.
“One basic problem is that unsophisticated companies tend to treat their own customers as insiders, and not treat them with the type of skepticism and controls aimed at outsiders (hackers),” he wrote in an e-mail. “Of course, the insider risk is a massive problem.”
A crackdown by the FTC almost a decade ago led to stronger security measures among information brokers, including credit bureaus, according to Jay Foley, a partner with the consulting firm ID Theft Info Source, who has followed the industry since 1999. Those efforts, though, have focused mostly on preventing the data providers from being tricked into giving criminals accounts that give them access to credit reports, Foley said.
A series of breaches at ChoicePoint and Seisint, data brokers that were bought by LexisNexis parent Reed Elsevier Plc, led to landmark settlements that served as a warning to the industry. The newly disclosed breaches show that credit bureaus haven’t invested enough in fraud-detection technology to spot odd behavior coming from customers, Foley said.
The company has since improved its security with a number of measures including audits and additional fraud-detection technologies, Stephen Brown, a spokesman for Reed Elsevier’s LexisNexis division, said in a statement.
“The industry has cleaned up its act, but the act it was cleaning up was who they were allowing to have credentials,” Foley said in an interview. So instead, criminals are going through the third parties that have already gotten approval, he said.