Do you have Experian credit monitoring? According to an article by KrebsonSecurity, hackers are able to take over an individual’s Experian account simply by changing the email address of the existing account.
In 2021, KrebsOnSecurity carried out an experiment to show how a hacker can gain access to individuals’ credit information. The experiment showed that hijacking Experian accounts was alarmingly easy. The data security company undertook this experiment after receiving reports of individuals who discovered their accounts were hacked.
To create an account, an individual:
- Provides personal identifying information such as name, address, date, SSN
- Answers multiple choice questions with answers that could be derived from public records
- Add and confirm email address
- Account is created
In several of the cases reported, the individuals had also put freezes on their credits to prevent credit fraud.
The investigation discovered the following
- Anyone can change the original email address in an existing account
- The system did not authenticate the new email address
- It did not confirm that this was an approved change
- Once the email address was changed, the user was then prompted to create new secret questions and answers and recovery questions
- The user was prompted to create a new security PIN
- If the account was originally frozen, the user was asked if they would like to lift the security freeze
Summary of safeguard issues
- No multi-factor authentication available
- Accounts can be created with publicly available or lax security questions
- Minimal or no notifications sent to confirm changes
Experian offers additional security features for a fee. However, we believe the company is responsible for protecting individuals’ sensitive information and ensuring that they are aware of any changes to their accounts.
If you have been impacted by Experian’s data protection practices, please contact our attorneys at (619) 238-1811 to explore your legal options.
