More bad news on the data broker front. Security blogger Brian Krebs revealed today that Experian, a major U.S. credit bureau has been selling sensitive consumer PII data to a Vietnam-based identity theft service, albeit inadvertently. See krebsonsecurity.com
In March 2012, Experian acquired data broker firm Court Ventures that mistakenly and reportedly started the illicit relationship with the criminal who posed as a private investigator. According to Krebs’ investigation, Experian reportedly kept the relationship alive for a year after its acquisition. The Vietnamese criminal has since been arrested.
So what does all this mean for enterprises that rely on PII (Personally Identifiable Information) data and KBA (Knowledge Based Authentication) processes and for the rest of us mortals whose data are being collected?
a) Identity proofing and know-your-customer processes that depend on data aggregators’ mass troves of sensitive PII information to validate a prospect or customer’s identity are compromised and relatively easily beaten by criminals.
For a fee, determined criminals can electronically impersonate any one they want to at organizations that rely on data matching and knowledge based authentication served up by the credit bureaus or other data brokers/aggregators in this ecosystem.
b) Identity proofing processes used by the data brokers themselves are also fallible, as evidenced in this case. This means that clever criminals can pose as legitimate businesses and gain access to these most sensitive services. If the data brokers can’t prove identities properly, then who can?
c) As consumers, we just have to realize that there is no data privacy anymore. Our life history and records on major financial transactions are for sale in the underground.
d) Regulators and legislators are years away from getting on top of these leaky faucets. And given the dysfunction in Washington, they could be decades away.
What’s the alternative?
Frankly there is no easy alternative for identity proofing. We outline some of the steps that can be taken in G00239627 “The Four Layers of Identity Proofing Lead to Stronger Identity Verification” but this requires that enterprises stitch together several niche solutions. Most of the banks we speak with who are using data brokerage services for identity proofing are planning to wean themselves off these compromised services, especially the KBA processes whose systematic compromise was exposed by Krebs a few weeks ago. See our previous blog on the KBA breach and also krebsonsecurity.com
But because of the ‘no-easy-alternative’ situation, government agencies, financial services, health care and companies in other sectors are likely to continue to rely on data brokerage services, at least partially, for years to come – knowing full well that that this reliance may come back to bite them financially.
And what about us consumers? Should we just hope for the best? The truth is it’s beyond our control and all we can do is check our financial records as often as we can so that we can report a problem as quickly as possible before too much damage is done.
So let’s just keep our fingers crossed. And expect more such revelations of similar breaches in the years to come.
Read Complimentary Relevant Research
Predicts 2017: Artificial Intelligence
Artificial intelligence is changing the way in which organizations innovate and communicate their processes, products and services. Practical...
View Relevant Webinars
How to Live Without Mobile Device Management
This webinar addresses the growing trend of users refusing to have enterprise management of their mobile devices due to privacy concerns....
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.