Credit Bureau: Equifax made headlines on September 7, 2017, when it announced its discovery of a data breach earlier in the year. In the security incident, computer criminals leveraged a “U.S. website application vulnerability” to view some of the consumer credit reporting agency’s files, access which helped them compromise 143 million U.S. consumers’ Social Security Numbers, dates of birth, and other sensitive personal information.
It’s thought the attackers also exposed 209,000 American’s credit card numbers along with the personal information of as many as 44 million UK citizens and an undisclosed number of Canadians.
While consumers take the time to investigate whether the breach affected them and to protect themselves against identity theft, it’s important to explore the incident’s historical significance. A look back to recent years reveals this breach isn’t the first time that hackers have targeted a credit bureau in the United States. Here are four other security events that affected or involved U.S. credit bureaus in some way.
EXPERIAN/COURT VENTURES (PRIOR TO MARCH 2012)
In March 2012, global information services group and credit bureau Experian purchased a legal data retrieval services company called Court Ventures. Sometime after that purchase, the U.S. Secret Service notified Experian that Court Ventures was selling information from US Info Search, a reverse data lookup platform, to a Vietnamese national named Hieu Minh Ngo. The individual posed as a business owner to access data through Court Ventures, whose contract with US Info Search predated Experian’s purchase of the data retrieval firm.
Some news reports at the time said the incident compromised a total of 200 million Experian customers’ records containing personal information. In a statement posted to its website, Experian clarifies that Ngo didn’t access any of its databases and instead exposed a “much lower” number of records stored by US Info Search. Even so, the credit bureau filed a lawsuit against the former owners of Court Ventures “for permitting the sale of US Info Search’s data to Ngo.”
EQUIFAX, EXPERIAN, AND TRANSUNION (MARCH 2013)
Equifax, Experian, and TransUnion all acknowledged intrusions into their systems after information pertaining to celebrities and high-profile figures ended up on a website called Exposed. According to Computer Reseller News, sensitive data for former First Lady Michelle Obama, Paris Hilton, former Secretary of State Hillary Clinton, and former FBI Director Robert Mueller ended up on the site after attackers gained “fraudulent and unauthorized access” to those individuals’ credit reports.
They did so without the use of malware or software vulnerabilities. Instead, they leveraged publicly available information to bypass the three credit bureaus’ authentication measures by answering all the necessary security questions.
EXPERIAN/T-MOBILE (DECEMBER 2013 AND OCTOBER 2015)
On 30 December 2013, T-Mobile submitted a letter to the Office of the Attorney General about a data breach that affected a “relatively small” number of customers. The security incident occurred after an unauthorized party gained access to a file stored on a server operated by one of the mobile operator company’s suppliers. T-Mobile later identified this supplier as Decisioning Solutions, an authentication company which Experian acquired in April 2013. Experian ultimately folded Decisioning Solutions into its Decision Analytics platform.
T-Mobile disclosed another breach less than two years later. This time, a hacking incident involving Experian’s systems resulted in the theft of 15 million T-Mobile customers’ Social Security Numbers and other personal information.
EQUIFAX (MAY 2016)
Back in May 2016, grocery giant Kroger sent out a letter to current and some former employees about a security incident. The breach took place when attackers accessed Equifax’s W2Express website, a resource which offers downloadable W-2 forms for companies. Attackers apparently gained access to Kroger employees’ W-2 forms by entering in their Social Security Numbers and birth years after stealing the information from other sources. Subsequently, they exposed all affected employees’ tax data and salary
Equifax to Pay at Least $650 Million in Largest-Ever Data Breach Settlement
The credit bureau Equifax will pay about $650 million — and perhaps much more — to resolve most claims stemming from a 2017 data breach that exposed sensitive information on more than 147 million consumers and demonstrated how little control Americans have over their personal data.
It does not just compensate victims who lost money: People who suffered through the hassles of bank phone trees and credit-card customer service lines can bill Equifax $25 an hour for their time.
“Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” said the New York attorney general, Letitia James, who helped lead the states’ investigation.
The breach not only exposed private information but also put a spotlight on the loosely regulated role credit bureaus play in the day-to-day lives of Americans. Equifax makes money by selling its vast trove of information to auto loan, mortgage and credit card issuers.
“The Equifax fine is grievously low, particularly given the scope of the identity problems they created,” said Pam Dixon, the executive director of the World Privacy Forum.
Major data breaches have become an almost routine occurrence. Last year, the Marriott hotel chain disclosed that thieves had stolen personal details on roughly 500 million guests, an attack that has been attributed to a Chinese intelligence-gathering effort. In May, a security journalist revealed that a major title insurance company, First American Financial Corporation, had left nearly 900 million documents related to mortgage deals online and unprotected.