back to article Hackers crack Texan bank, Experian credit records come flooding out

Hackers managed to get login credentials for Experian's credit scoring reports after they broke into the systems of Abilene Telco Federal Credit Union last year, it has emerged. Crooks gained access to the west Texan bank's systems after hacking into an employee's computer. The September 2011 breach allowed the hackers to get …

COMMENTS

This topic is closed for new posts.
  1. Colin Miller

    I'm not sure if there is easy way for Experian et al. to block this.

    They probably (hopefully) have systems in place to monitor the access rate, and possibly autoblock if it is exceeded. This might have been how it was detected.

    1. C-N

      They could stop charging a flat rate for the whole DB. Or, even better, if the subject of the query had to give permission before any data could be released.

      Disclosure: I think credit reporting agencies are scumbags.

      1. Anonymous Coward
        Anonymous Coward

        @C-N

        "Disclosure: I think credit reporting agencies are scumbags..."

        Why?

        1. Fatman

          Re: "Disclosure: I think credit reporting agencies are scumbags..." Why?

          Because they will accept any submission of creditworthiness, without verifying its accuracy.

          The onus is placed on the individual named to 'clean up' any mistakes made.

          There are firms in the US who buy lots of "written off debt", and resubmit those accounts periodically in some lame attempt to get some sucker to "pay up". A term often used to describe this is zombie debt.

      2. Anonymous Coward
        Anonymous Coward

        I hope you don't think you're alone in that

        see above

    2. Anonymous Coward
      Anonymous Coward

      Anything

      Anything stored on a computer can be hacked, and that is a fact.

      1. mark 63 Silver badge

        Re: Anything

        "Anything stored on a computer can be hacked, and that is a fact."

        What about the stuff thats on the scrap pc in my garden holdeing the tomato plant's growbag up?

        if you're counting hacking-with-physical access then... well you could say a filing cabinets been hacked if you pick the lock and take the paper out

  2. Sir Runcible Spoon

    Sir

    "Of course, the first line of defence lies with end users who are obligated to manage and protect their credentials"

    'end user' - do they mean the companies that are accessing the data? This term is usually used to refer to the person who's data it is, but they can't mean that can they?

    1. Aaron Em

      They can't and they don't

      'End users' in this case refers to the financial institutions, who are end users of the credit bureaus' services, and not to those institutions' supplicants, who do not use the bureaus' services at all.

      1. Anonymous Coward
        Anonymous Coward

        Re: They can't and they don't

        The people about whom the data is held are known as data subjects.

        Data subjects can certainly access the information about them, that is one of the core tenets of data protection legislation.

        The major credit reference agencies in the UK offer services specifically aimed at data subjects, to allow them to monitor and control their credit file, usually online.

        1. Keep Refrigerated
          Flame

          Re: They can't and they don't

          It's not about having access - it's about control - which is something that the data subject has little of.

          Not to mention that a bank doesn't need to disclose who they are using and there are several credit agencies putting the onus on you as a data subject to (1) find out which agencies have files on you, (2) contact them all and (3) pay for the privilege of getting access for each one.

          But there's no control, all you can do is ask them to append your own comments or petition the financial institution to amend your record - but you don't have control to change it at all.

          It should be illegal for companies to simply gather data about you from random places and then 'sell' that file. It should be akin to libel and they should come under libel laws if they have wrong data - but they're another faceless institution just waved in through corrupt legislation made by corrupt politicians.

          What the law should really stipulate is you - the data subject - personally get to choose 1 credit agency to go with - who you will authorise to gather your financial history. Then when you apply for an account with an institution - your own authorised data file is passed to them. That is how it should happen.

          But like every other consumer 'protection' laws, it's all arse backwards and allows the real scumbags to assume adequate permissions.

          1. Anonymous Coward
            Anonymous Coward

            "gather data about you from random places"

            This they do not do. The kind of information that can be stored in your credit file is restricted by law, and only comprises details which are provided by those participating in the scheme.

  3. C-N
    Flame

    Not To Worry!

    For individuals whose data was stolen, there is no need to worry. Experian has a line of Identity Theft and Credit Protection products for purchase. Protect yourself today!

  4. Anonymous Coward
    Anonymous Coward

    Odd....

    when I walked into work this morning I was greeted by a fellow employee asking if I had signed up for Free credit Monitoring offered by Experian. I had no idea what he was talking about and he explained hackers had somehow accessed some records.....blah, blah blah.......

    Upon reading this article, it pertained to Texas.

    I live in SC, so going to my local news station I learn that this effects SC and myself as well.

    http://www.wrdw.com/home/headlines/Taxpayers-affected-by-cyber-attack-have-until-January-to-register-for-credit-monitoring-176279041.html

  5. Anonymous Coward
    Anonymous Coward

    The credit reporting agencies are scumbags and have zero incentive to fix incorrect information or to allow for protection against fraud - the system is fundamentally broken and will not get fixed until a big name politician or his family gets targeted. I have spent the past 6 months and countless hours and at least 15 recorded delivery letters trying to get an error fixed on my credit report - one stating that a flat I sold 18 months ago is currently being foreclosed upon. This mistake prevented me from getting a corporate credit card at my new job (which is how I found out it was on my "records") and I have lifted heaven and earth trying to get it corrected.

    The agencies don't care. We are their product, not their customer and they have no incentive at all to fix mistakes or provide safeguards. While investigating this mess I also found that there is a bank in New Jersey pulling "hard" credit reports (as if I were applying for a loan with them) monthly - I have never done business with them, but the agencies tell me there is no way to stop this and my score takes a hit each time.

    Awful, awful people in an industry that deserves to die.

    1. Anonymous Coward
      Anonymous Coward

      Really?

      I had a fairly serious error on my credit report, I had it corrected by filling in an online form, IIRC. The whole process was so easy that I can't actually remember anything about it, other than it was quick efficient and painless.

      But then again you can always find someone on the Internet with something bad to say about a personal experience, it's very rare for anyone with good things to say to comment because there's no incentive for them to do so.

      1. Graham Marsden

        Re: Really?

        @ the second AC

        I don't know where you live, but it's pretty clear that the first AC lives in the USA. Now I don't know what their Data Protection legislation is like, but in the UK you actually have some pretty good rights under the Data Protection Act to get it corrected, so perhaps it was easier for you than for him.

    2. Anonymous Coward
      Anonymous Coward

      Me too

      Yep, I spent years trying to clear up a number of errors on my credit file caused by identity theft. Police weren't interested - civil matter - my ar$e. There are a number of credit agencies, so you have to contact each and every one of them. This didn't just affect me, but my brother, mother & father who all lived at different addresses.

      So know how you feel. Financial ombudsman job in the end with the final error.

  6. nuked

    Credit reference agencies have had their day.

    Much more than half of the country has had bad credit since the crash, and the other half don't need further credit. When (and if) the banks ever start lending again, they'll have to think up of different ways of measuring future risk, as our credit histories paints more of a picture of the state of the country, than it does about our individual worthiness for credit in the future.

    1. Anonymous Coward
      Anonymous Coward

      Re: Credit reference agencies have had their day.

      What a load of rubbish. Of course your credit history, current pay rate and indebtedness is a good way of predicting if you're likely to pay back a loan or not.

    2. Anonymous Coward
      Anonymous Coward

      Re: Credit reference agencies have had their day.

      I'm not rich by any means, yet have two car loans and can buy a house with a nice APR for 5% down. Seems like banks are lending to me?

  7. Tim Brown 1
    Holmes

    how about some sort of authenticator?

    To access my online bank account, not only do I need my login id and password but I also have to enter a one-time code from a physical authenticator device.

    Surely Experian and co could implement a similar measure for their systems? In their case it seems all the more important given the wide-ranging and sensitive data they hold.

    1. pixl97

      Re: how about some sort of authenticator?

      Different use case. Where the bank (and possibly you) stands to lose real money, they put a lot of protection in to it. It is also likely you, at most access your bank a few times a day.

      Pulling credit reports is different. First, Experian loses nothing if you slurp up tons of other peoples data. You can't transfer anything away from them, even if you copied the entire database, they'd still have the database, unlike transferring money out of ones account. Second, one business can pull hundreds of credit reports in a day. Also, the history of pulling credit reports can be very 'bursty'. You might run a big sale over a weekend and pull 50 reports then only do a few over the next week.

      Since these businesses don't care enough about your personal information already (they're letting their systems get infected), if Experian makes it too difficult to pull data, it's likely the business could use another data service that gave easier access.

  8. AlexH

    Credit to Experian

    Actually says something very positive about Experian's security when banks and law-enforcement agencies' systems are seen as the soft/easy way in!

    If I had a shop next to a bank and criminals broke in by going through the vault and tunnelling into my premesis, I'd probably buy my security contractor a beer or two.

  9. JaitcH
    FAIL

    I pull my credit record annually ...

    as is permitted under Canadian legislation.

    .

    The most frequent inquirer is Revenue Canada, four times annually for the past 24 years. I guess they are looking for my tax money. I don't use credit, I have no cards and therefore they have no need to have any records reflecting my current location.

    I always use credit bureaus when I sue people, it provides such a rich source of embarrassing information on the proposed defendant.

  10. disgruntled yank

    flood?

    Were I one of the 847 whose information was exposed, I'd be furious. But the headline does not seem to fit story.

  11. James Anderson

    The data was public domain.

    TThe data in their database us essentially public domain as its available to anyone willing to pay, or, with access to a login

    A fraudster.could legitimately pay for this data before setting up a fraudulent credit application. Although this would go against the grain.

    1. unitron
      FAIL

      Re: The data was public domain.

      In the U.S., one's Social Security number is most certainly not "Public Domain".

      1. Anonymous Coward
        Anonymous Coward

        Re: The data was public domain.

        During part of the Vietnam War, hundreds of thousands of US soldiers (could be over a million) sent letters home postage free by writing their military serial numbers -- at the time, it was the SSAN -- on the outside of the envelopes and the word "FREE" where a stamp would go.

        It was required then that one's name and service number (Social Security number, for the Army) be marked on every piece of footwear, every hat, cap and belt, and in large numbers on the outside of one's duffel bag.

        The FBI also recommended ordinary citizens etch it into each valuable item to make recovery easier after a theft.

        Such markings may still be found on items offered in war-surplus, militaria and used goods and antique shops.

        Secure, it isn't.

  12. MachDiamond Silver badge

    Law Enforcement?

    I find it interesting the listing of routes that ID thieves use includes "law enforcement". I would feel much more comfortable if law enforcement had to get a warrant for ones credit history rather than having a direct link to the bureaus computers I wonder if the donut munchers sit around and run credit reports on celebrities for fun.

  13. M Gale

    The way I thought this worked:

    Bank: We'd like to run a credit check on this person.

    Experia: Okay, here you are.

    The way it now appears to work?

    Bank: Give us your entire database.

    Experia: Okay, here you are.

    Anybody else see what's wrong here?

    1. Anonymous Coward
      Anonymous Coward

      Re: The way I thought this worked:

      Um, your speculation about the process is quite meaningless when you don't even know what the organisation is called.

      1. M Gale

        Re: The way I thought this worked:

        And you're an anonymous bell-end who likes to downvote people for missing out an "n".

        Sorry for offending your sense of grammar.

  14. Anonymous Coward
    Anonymous Coward

    The problem with liberalism...

    This is just a sad symptom of a too liberal government and too little regulation.

    The solution is simple: regulate the fuck out of the credit rating companies.

    Since most people in the US are liberals (yes both parties are liberal, compared to e.g. some parties in the EU), then I have zero sympathy. Don't vote Reps or Dems and then complain about this shit, afaik there are other (currently small) parties to vote for in the US.

  15. KLane
    FAIL

    At the very least...

    Shouldn't they at least control their access by limiting an account to coming from a specific IP address or range? Or require the one-time pad as mentioned before?

  16. Steve Graham
    Facepalm

    How hard can it be?

    Like most businesses, the company I last worked for had a large customer database with confidential information in it.

    "Agents" who dealt with customers could only "log in" to one customer record at a time, the one they were dealing with, and all access was logged.

    Planners and statisticians were restricted in the content of they data dumps they could request, and software developers' test data had to be fully anonimized before we got our hands on it. Software developers were never allowed to touch production machines.

    Simple stuff, and by no means infallible, but better by far than the complete wide-open approach in this story.

This topic is closed for new posts.

Other stories you might like