I'm not sure if there is easy way for Experian et al. to block this.
They probably (hopefully) have systems in place to monitor the access rate, and possibly autoblock if it is exceeded. This might have been how it was detected.
Hackers managed to get login credentials for Experian's credit scoring reports after they broke into the systems of Abilene Telco Federal Credit Union last year, it has emerged. Crooks gained access to the west Texan bank's systems after hacking into an employee's computer. The September 2011 breach allowed the hackers to get …
Because they will accept any submission of creditworthiness, without verifying its accuracy.
The onus is placed on the individual named to 'clean up' any mistakes made.
There are firms in the US who buy lots of "written off debt", and resubmit those accounts periodically in some lame attempt to get some sucker to "pay up". A term often used to describe this is zombie debt.
"Anything stored on a computer can be hacked, and that is a fact."
What about the stuff thats on the scrap pc in my garden holdeing the tomato plant's growbag up?
if you're counting hacking-with-physical access then... well you could say a filing cabinets been hacked if you pick the lock and take the paper out
The people about whom the data is held are known as data subjects.
Data subjects can certainly access the information about them, that is one of the core tenets of data protection legislation.
The major credit reference agencies in the UK offer services specifically aimed at data subjects, to allow them to monitor and control their credit file, usually online.
It's not about having access - it's about control - which is something that the data subject has little of.
Not to mention that a bank doesn't need to disclose who they are using and there are several credit agencies putting the onus on you as a data subject to (1) find out which agencies have files on you, (2) contact them all and (3) pay for the privilege of getting access for each one.
But there's no control, all you can do is ask them to append your own comments or petition the financial institution to amend your record - but you don't have control to change it at all.
It should be illegal for companies to simply gather data about you from random places and then 'sell' that file. It should be akin to libel and they should come under libel laws if they have wrong data - but they're another faceless institution just waved in through corrupt legislation made by corrupt politicians.
What the law should really stipulate is you - the data subject - personally get to choose 1 credit agency to go with - who you will authorise to gather your financial history. Then when you apply for an account with an institution - your own authorised data file is passed to them. That is how it should happen.
But like every other consumer 'protection' laws, it's all arse backwards and allows the real scumbags to assume adequate permissions.
Odd....
when I walked into work this morning I was greeted by a fellow employee asking if I had signed up for Free credit Monitoring offered by Experian. I had no idea what he was talking about and he explained hackers had somehow accessed some records.....blah, blah blah.......
Upon reading this article, it pertained to Texas.
I live in SC, so going to my local news station I learn that this effects SC and myself as well.
http://www.wrdw.com/home/headlines/Taxpayers-affected-by-cyber-attack-have-until-January-to-register-for-credit-monitoring-176279041.html
The credit reporting agencies are scumbags and have zero incentive to fix incorrect information or to allow for protection against fraud - the system is fundamentally broken and will not get fixed until a big name politician or his family gets targeted. I have spent the past 6 months and countless hours and at least 15 recorded delivery letters trying to get an error fixed on my credit report - one stating that a flat I sold 18 months ago is currently being foreclosed upon. This mistake prevented me from getting a corporate credit card at my new job (which is how I found out it was on my "records") and I have lifted heaven and earth trying to get it corrected.
The agencies don't care. We are their product, not their customer and they have no incentive at all to fix mistakes or provide safeguards. While investigating this mess I also found that there is a bank in New Jersey pulling "hard" credit reports (as if I were applying for a loan with them) monthly - I have never done business with them, but the agencies tell me there is no way to stop this and my score takes a hit each time.
Awful, awful people in an industry that deserves to die.
I had a fairly serious error on my credit report, I had it corrected by filling in an online form, IIRC. The whole process was so easy that I can't actually remember anything about it, other than it was quick efficient and painless.
But then again you can always find someone on the Internet with something bad to say about a personal experience, it's very rare for anyone with good things to say to comment because there's no incentive for them to do so.
@ the second AC
I don't know where you live, but it's pretty clear that the first AC lives in the USA. Now I don't know what their Data Protection legislation is like, but in the UK you actually have some pretty good rights under the Data Protection Act to get it corrected, so perhaps it was easier for you than for him.
Yep, I spent years trying to clear up a number of errors on my credit file caused by identity theft. Police weren't interested - civil matter - my ar$e. There are a number of credit agencies, so you have to contact each and every one of them. This didn't just affect me, but my brother, mother & father who all lived at different addresses.
So know how you feel. Financial ombudsman job in the end with the final error.
Much more than half of the country has had bad credit since the crash, and the other half don't need further credit. When (and if) the banks ever start lending again, they'll have to think up of different ways of measuring future risk, as our credit histories paints more of a picture of the state of the country, than it does about our individual worthiness for credit in the future.
To access my online bank account, not only do I need my login id and password but I also have to enter a one-time code from a physical authenticator device.
Surely Experian and co could implement a similar measure for their systems? In their case it seems all the more important given the wide-ranging and sensitive data they hold.
Different use case. Where the bank (and possibly you) stands to lose real money, they put a lot of protection in to it. It is also likely you, at most access your bank a few times a day.
Pulling credit reports is different. First, Experian loses nothing if you slurp up tons of other peoples data. You can't transfer anything away from them, even if you copied the entire database, they'd still have the database, unlike transferring money out of ones account. Second, one business can pull hundreds of credit reports in a day. Also, the history of pulling credit reports can be very 'bursty'. You might run a big sale over a weekend and pull 50 reports then only do a few over the next week.
Since these businesses don't care enough about your personal information already (they're letting their systems get infected), if Experian makes it too difficult to pull data, it's likely the business could use another data service that gave easier access.
Actually says something very positive about Experian's security when banks and law-enforcement agencies' systems are seen as the soft/easy way in!
If I had a shop next to a bank and criminals broke in by going through the vault and tunnelling into my premesis, I'd probably buy my security contractor a beer or two.
as is permitted under Canadian legislation.
.
The most frequent inquirer is Revenue Canada, four times annually for the past 24 years. I guess they are looking for my tax money. I don't use credit, I have no cards and therefore they have no need to have any records reflecting my current location.
I always use credit bureaus when I sue people, it provides such a rich source of embarrassing information on the proposed defendant.
TThe data in their database us essentially public domain as its available to anyone willing to pay, or, with access to a login
A fraudster.could legitimately pay for this data before setting up a fraudulent credit application. Although this would go against the grain.
During part of the Vietnam War, hundreds of thousands of US soldiers (could be over a million) sent letters home postage free by writing their military serial numbers -- at the time, it was the SSAN -- on the outside of the envelopes and the word "FREE" where a stamp would go.
It was required then that one's name and service number (Social Security number, for the Army) be marked on every piece of footwear, every hat, cap and belt, and in large numbers on the outside of one's duffel bag.
The FBI also recommended ordinary citizens etch it into each valuable item to make recovery easier after a theft.
Such markings may still be found on items offered in war-surplus, militaria and used goods and antique shops.
Secure, it isn't.
I find it interesting the listing of routes that ID thieves use includes "law enforcement". I would feel much more comfortable if law enforcement had to get a warrant for ones credit history rather than having a direct link to the bureaus computers I wonder if the donut munchers sit around and run credit reports on celebrities for fun.
This is just a sad symptom of a too liberal government and too little regulation.
The solution is simple: regulate the fuck out of the credit rating companies.
Since most people in the US are liberals (yes both parties are liberal, compared to e.g. some parties in the EU), then I have zero sympathy. Don't vote Reps or Dems and then complain about this shit, afaik there are other (currently small) parties to vote for in the US.
Like most businesses, the company I last worked for had a large customer database with confidential information in it.
"Agents" who dealt with customers could only "log in" to one customer record at a time, the one they were dealing with, and all access was logged.
Planners and statisticians were restricted in the content of they data dumps they could request, and software developers' test data had to be fully anonimized before we got our hands on it. Software developers were never allowed to touch production machines.
Simple stuff, and by no means infallible, but better by far than the complete wide-open approach in this story.