
Experian Sold Consumer Data to ID Theft Service - cylo
http://krebsonsecurity.com/2013/10/experian-sold-consumer-data-to-id-theft-service/
======
cptskippy
I did a double take when I saw this because I've been in contact with Equifax
recently because I started receiving SPAM form a non-existent email address
that I shared with them.

I have a Catch-all address setup on my Domain so that I can give every site I
interact with their own custom email address. In this case it was
equifax.com@mydomain.com. Since the email address doesn't exist, and they're
the only company I've shared it with, they're the only ones with a record of
it's existence.

When I emailed them asking if they'd had a security breach or if they were
selling email addresses they responded saying they would opt me out of marking
emails. When I responded with the context and header info of the emails I
received and asked if this was in fact from them things turned. About an hour
later I got a response, the tone had changed significantly and they indicated
that the incident had been escalated to their security department and that
they would be in contact with me as their investigation progressed.

I can say this has been the best response to the dozens of emails I've sent to
companies about the same issue. The worst was Best Buy whose response was
something along the lines of "Eat D __k, we do what we want. "

~~~
hnriot
that's not exactly a difficult email address to guess, I would think that in
this case (specifically this case) equifax would have a very good claim that
it wasn't them that leaked it. If instead you had used a hash or something
unguessable then you might have a case, but I could easily go and sign up to
my favorite nigerian viagra supplier with all the usual suspects
facebook@yourdomain.com, airbnb@yourdomain.com... and you'd go right on
blaming the facebook, airbnb, etc.

~~~
cptskippy
This is a classic case of engineering a solution to a problem that doesn't
exist.

The first question you have to ask your self is for what reason would anyone
choose to do that? Shits-and-giggles and malice against me personally are
about the only legitimate reasons someone would do that.

Spammers wouldn't want my dummy addresses in their list, and harvesters who
sell emails to spammers wouldn't either because I could easily invalidate
swaths of their lists by disabling my catch-all giving them a bad reputation.

I mainly do this to see how my email address gets around. If and when I
contact a company about my email address receiving SPAM, I don't name and
shame in any public capacity. Its of little consequence how they respond
because the damage is done, its not like they can undo the SPAM.

------
afreak
This Dilbert comic is 100% apt today:
[http://dilbert.com/strips/comic/2010-10-14/](http://dilbert.com/strips/comic/2010-10-14/)

~~~
NIL8
Perfect.

------
mindslight
Except there's actually no such thing as "identity theft" \- it's a mere
figment of the credit industry's (tracking industry's) fantasy in which
they're omniscient, and an attempt to slowly push the responsibility for bank
fraud onto uninvolved third parties. In reality, some would-be bank fraudsters
got ahold of some non-secret information.

~~~
Amadou
I agree. Identity theft is just a particular method of fraud with a name that
mitigates the responsibility of the institutions that enabled the fraudsters.

I don't know if it is one one of those terms that was invented by one of those
PR agencies that invented terms like "climate change" to mitigate the visceral
impact of "global warming."[1] But it certainly has ended up as a term that
obfuscates the responsibility of banks to stop treating public information
like passwords.

[1]
[https://en.wikipedia.org/wiki/Frank_Luntz](https://en.wikipedia.org/wiki/Frank_Luntz)

~~~
davvolun
I think 'climate change' is generally used now because 'global warming'
implies the entire globe will become warmer, when in fact some areas, due to
complex interactions, will actually become cooler. That, combined with the
political posturing (on both sides), has made it useful to use a more general
term. IMHO.

------
3327
Well, is it fair to say that the credit system in the US is fu __ed up?
Oligopoly of 3 agencies have pretty much entire control of your fate. Yes
Fate. Purchasing power means cash and since credit = cash these companies
control the cash that you have at disposal. Which means your FATE. Its
insanely difficult to pierce oligopolistic structures and Cartels because of
obvious reasons. But some day some startup needs to tackle this. The system
works for most but doesn 't work for many.

~~~
callmeed
Yes absolutely. I currently cannot buy a house despite having a six-figure
income for 4 years, money in savings, and having no debt save my student loan.
All because of bad decisions I made in years past.

~~~
malandrew
I thought credit rating things only lasted 7 years. Are your credit
transgressions more recent than that?

~~~
callmeed
Most are, but (from what I understand) there are ways items can stay on for
longer. For example, if your account is sold or resold to a collection agency,
I believe the clock resets under the new creditor.

~~~
pc86
This is not accurate. The clock only "resets" if you take action on it. It can
be resold every 6 months and unless you contact a creditor about the debt,
nothing changes.

For small debts in the 4-6 year range it's usually fine to let them just fall
off your report (although there's certainly a moral ambiguity there). Larger
debts will almost always be litigated well before the 7-year mark, and
entering into litigation does reset that clock.

------
icu
Thanks cylo for the post. Sadly we can't seem to trust the credit agencies or
Government agencies with data protection. We need a politician who will
champion some sort of legal offence (Federal?) for digital data protection
breaches whatever the industry/company (above anything that already exists)
that will scare companies enough that they start taking digital identity
seriously. Maybe that's a pipe dream but I get the sense after reading this
article that regulators just don't carry a big enough stick or have too light
a touch when punishing serious infractions.

~~~
Zenst
Agreed and I'm somewhat supprised (UK peep here) that no data protection act
is in place. UK had first version of the act in 1984 (oh the ironic choice of
dates, govermental humour maybe).

With that I'm amazzed there is nothing in the USA, must be something beyond
class action suits?

~~~
ams6110
I think protecting data is a hopeless goal. The penalties need to be for
fraud, and the responsibility for identity verification needs to be the
creditors.

Hospital admissions and discharges used to be published every day in the
paper. People used to have their social security number printed on their
checks. Someone's birthday was a day of celebration, not a personal secret.

I want to get back to a place where routine facts about me do not need to be
secret or something I worry about. The onus should be on anyone granting
credit to verify that the person is who they claim to be, and it should take
more than a few bits of public information to do that.

~~~
icu
ams6110, I wish for a world where your quote "I want to get back to a place
where routine facts about me do not need to be secret or something I worry
about" were true.

However, pandora's box is open and we can never ever go back.

When you say, "The onus should be on anyone granting credit to verify that the
person is who they claim to be" I couldn't agree more. This goes to the heart
of my argument, you cannot trust those granting the credit. The invisible hand
isn't working here. The only other option is to use fear to keep them in
line... fear of a regulator that has teeth.

------
tonyfelice
Sort of insinuates that ID theft is not meant to be a core focus of Experian.

~~~
carbocation
> _Sort of insinuates that ID theft is not meant to be a core focus of
> Experian._

The post is saying that a service that aids scammers purchased data from
Experian.

Seeing the title, I initially thought it meant that Experian sold data to an
ID Theft-prevention service, which would be less bad.

~~~
greenyoda
I read it the same way, but that would have been pretty bad in and of itself.
Why should an ID theft prevention service have data on me unless I have a
business relationship with them?

~~~
carbocation
Going back a step, why should Experian have data on you?

~~~
johntb86
How else would credit history (and credit in general) work?

~~~
Silhouette
Voluntarily?

If you want to use credit, you have to let lenders collaborate to determine
whether they're willing to lend to you, if that's their criteria for making
decisions.

If you don't want to use credit, they get no special pass to store and use
personal data about you.

I'm from Europe, where generally personal privacy gets more emphasis than it
seems to in some places, notably the US. We have explicit laws about
collecting and processing personal data, but certain organisations seem to get
a free pass for no apparent reason. As this story demonstrates, the risks are
still there.

That said, perhaps we shouldn't be too worried. The last time I paid a little
real money to get hold of my personal credit report from one of these credit
reporting organisations, it was so riddled with obvious errors, including more
than a few wildly inaccurate data points, that I was on the phone to them for
something like half an hour to get them to correct everything. At that point
(I kid you not) the woman on the phone asked if I would be much longer because
it was the end of the day and time for her to go home.

~~~
dingaling
I'm convinced that those 'errors' on reports are actually phishing.

When I ordered my reports I paid with postal orders, so as not to leak any
financial information back to the agencies. I'm glad I did so, as the details
( other than my mortgage ) were laughably incorrect.

I was on the verge of writing to correct them and then caught myself - that's
exactly what they want, isn't it? So hopefully by now they've diverged even
further from the truth.

~~~
pc86
Were they negative elements or just factually incorrect neutral/positive
elements? Correct or not, if your credit report is pulled and there is wildly
inaccurate (negative) information you can still be declined, and not many
people know that you are entitled to a free report if you're declined based on
what's in that report.

~~~
Karunamon
In my experience, most every place that declines you based on report data will
send you a letter saying (in very general terms, but still) what criterion you
failed, as well as the information about where to get your report.

------
bediger4000
Do "underground" credit rating agencies exist? I don't mean credit rating
agencies for carders and scammers, I mean agencies that track things they're
not supposed to track. Agencies that keep the data on file for longer than
they're supposed, keep track of how many times a particular ID asks for
refunds, or to get their security deposit back, material like that.

It would have to be out of the Caribbean or some place with lax data privacy
laws, and strict confidentiality laws.

~~~
gergles
There's a ton of those that are fully aboveboard, you just don't hear about
them. One exists for return tracking, one exists for how many applications
you've filed for credit cards, one exists for landlord/tenant court entries
that saves them forever (they insist they aren't a CRA but under the law they
clearly are) -- there's a ton of them other than the Big 3 and there's almost
no _effective_ regulation around them.

------
arca_vorago
For those of you interested in learning how the _cough_ scam _cough_ system of
credit scores works and how to maximize the system, here is a talk I have
found very informative. It's a dirty business and industry...

[http://www.youtube.com/watch?v=5gFDnQGr6WU](http://www.youtube.com/watch?v=5gFDnQGr6WU)

------
f902370
The world should calm down. Take a few years to review what we've done in last
50 years.

~~~
skrebbel
Yeah. Let's rent a holiday cottage with all of us and talk it though.

