Experian Plc, the credit-reporting giant with financial information on more than 740 million consumers, is being investigated by Irish regulators in the wake of a series of breaches of the company’s databases.
The Office of the Data Protection Commissioner, which enforces privacy laws in Ireland, has opened a preliminary inquiry into the security practices of Dublin-based Experian, said Gary Davis, the agency’s deputy commissioner. The move was prompted by an Oct. 29 story on Bloomberg.com’s Tech Blog showing that Experian’s database was breached at least 80 times, leading to the theft of almost 15,500 credit reports since 2006, he said.
“At this stage all we’re doing is probing the matter based on media reports,” Davis said in an interview. “We don’t have anything other than what’s in the public domain, and we have to wait for them to get back to us.”
Regulators have asked Experian whether breaches have affected Irish consumers or businesses, and requested information on what steps the company is taking to prevent unauthorized access to its databases, Davis said.
The breaches happened by hackers breaking into the computer networks of Experian customers and stealing their passwords to access credit reports online. A central question that regulators will examine is whether Experian can be held responsible for failing to detect the fraud.
Gerry Tschopp, a spokesman for Experian, declined to comment directly on the Irish inquiry. The breaches were “isolated security issues experienced by a small number of our clients in North America involving U.S. consumers under U.S. data-protection jurisdiction,” he said in an e-mailed statement.
“While it is the responsibility of clients to maintain and monitor the security of their own systems and credentials, we use sophisticated technology to detect anomalies that might indicate suspicious activity in systems access, which we immediately flag to the client and, when appropriate, to consumers and law enforcement,” Tschopp wrote.
As a policy, the U.S. Federal Trade Commission wouldn’t confirm or deny whether it was conducting its own investigation, said Laura Berger, a senior attorney in the division of privacy and identity protection. The FTC, however, has filed cases before against other owners of sensitive data for breaches that started on their customers’ computer networks.
Experian and the two other major U.S. credit-reporting firms — Equifax Inc. and TransUnion Corp. — are currently under investigation by both houses of Congress over how much data they collect and how it’s used, and security could become a part of those probes.
The data in credit reports can lead to the worst forms of identity theft, from credit-card fraud to people taking out medical services and committing murders in their victims’ names. The reports are valuable because they contain Social Security numbers, birth dates and detailed credit histories.
The breaches examined by Bloomberg.com encompassed six U.S. states, offering a limited view into the security risks facing Experian. The breaches were uncovered through public-records requests by a privacy advocate who goes by the online pseudonym Dissent Doe. Doe asked not to be identified to preserve the separation between profession and advocacy.
The records Doe obtained were copies of breach notification letters that Experian sent to victims in Maine, Maryland, New Hampshire, New Jersey, North Carolina and Vermont. Doe has put in requests for other states as well.
Experian has declined to offer specifics about the total number of breaches it has suffered.
The company has a global presence, which could make it vulnerable to regulatory actions abroad if it’s discovered that breaches affected European consumers, said Daragh O Brien, founder of Castlebridge Associates, a data-protection consulting firm in Dublin.
The onus is on Experian, not its customers, to ensure the data is protected, he added.
“It is, in my view, unlikely that any data protection authority would accept the owner and controller of a database containing large volumes of personal data pushing the responsibility for breaches back on their customers,” O Brien wrote.
Friendly and Strict
Ireland offers corporate-friendly tax rates, helping make it a destination for companies such as Facebook Inc., Twitter Inc. and LinkedIn Corp. to set up offices there. Also, like much of Europe, it has strict privacy protections. Irish regulators can force companies to make major policy changes. For instance, the commissioner’s office played a key role in forcing Facebook to agree in September to delete facial-recognition data collected on European Union users.
One area that regulators are looking at is whether Experian properly safeguards its databases from hackers, Davis said.
The breaches of Experian’s database all had the same theme: Hackers broke into the computer systems of small banks, auto dealers and other customers, stole the passwords for accessing Experian credit reports online, and downloaded people’s information.
One case in particular illustrates how Experian could be held responsible for breaches that began on its customers’ computer networks, which it doesn’t directly control.
Abilene Telco Federal Credit Union, a small bank in west-central Texas, had its online password to Experian stolen last year.
On Sept. 18, a Sunday, the hackers started downloading credit reports in rapid succession, Dana Pardee, a branch manager at the bank, said in an interview. By Monday, the intruders had stolen credit reports on 847 people, and the bank later got a bill for $3,493.73, Pardee said.
“I was amazed at how fast these things were pulled — there are only a second or two between transactions,” she said.
The bank found out it was breached when people who had never done business with Abilene Telco started calling, sometimes two or three a day, demanding to know why the company’s name was appearing on their credit reports.
Experian should have known the transactions were fraudulent because Abilene Telco, now renamed First Priority Credit Union, typically had a monthly bill of $100 or less and never pulled that many credit reports, Pardee said. Also, the attack began on a day the bank wasn’t open, she said.
The incident pointed to what some analysts say is a need for credit-reporting agencies to invest in more advanced fraud-detection technologies that would have spotted the anomalies.
Experian’s Tschopp earlier said that “the first line of defense lies with end users who are obligated to manage and protect their credentials, which in all these instances were compromised through malware that infected their hardware and other illegal means.”