Incident Details
During the summer of 2022, KrebsOnSecurity reported on the challenges faced by multiple individuals who found their accounts compromised at Experian, a leading consumer credit reporting agency, as cybercriminals were able to take control by re-registering the accounts with different email addresses. Over a year later, Experian still appears to have not resolved this significant security flaw, evident from my recent experience of having my own Experian account breached and having to recreate it entirely to regain access. Despite my attempt to obtain a copy of my credit report from Experian through annualcreditreport.com, the request was denied on grounds of identity verification issues. Similarly, my efforts to log in directly to my account on Experian.com were met with failure as the website indicated a failure to recognize my login credentials. Moreover, the process to retrieve my Experian account username necessitated the provision of my complete Social Security number and date of birth, following which the website disclosed segments of an email address that was unfamiliar and unapproved by me (with the full email address being concealed by Experian).
Incident
How Did the Breach Happen?
Thieves successfully re-registered accounts at Experian by using an alternate email address, overcoming the security protocols and taking control of user accounts.
What Data has been Compromised?
The security breach exposed private data including usernames, passwords, complete Social Security numbers, dates of birth, and unauthorized email addresses.
Why Did the company's Security Measures Fail?
Experian's security protocols were unsuccessful as they did not adequately authenticate users' identities during the account re-registration process, thereby enabling identity thieves to circumvent authentication with ease.
What Immediate Impact Did the Breach Have on the company?
The breach resulted in an immediate decline in trust and reputation for Experian, as users' accounts were taken over and their confidential data was exposed.
How could this have been prevented?
Stronger authentication measures, such as the incorporation of extra verification steps like email or phone confirmation during the re-registration of accounts, could have potentially averted this security breach.
What have we learned from this data breach?
This incident has highlighted the significance of putting in place strong security measures to safeguard user accounts and personal data. Ensuring thorough verification of users' identities and frequently updating security protocols are essential steps in preventing security breaches.
Summary of Coverage
During the summer of 2022, identity thieves targeted numerous Experian account holders, gaining unauthorized access by updating the account information with new email addresses. Experian's insufficient security protocols led to this breach, exposing sensitive information such as usernames, passwords, Social Security numbers, dates of birth, and unapproved email addresses. This incident underscored the necessity for enhanced authentication procedures and served as a prompt to prioritize safeguarding user accounts and personal data.