Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

Experian Identity Proofing Services Compromised; more bad news on the Data Broker front

by Avivah Litan  |  October 21, 2013  |  6 Comments

More bad news on the data broker front. Security blogger Brian Krebs revealed today that Experian, a major U.S. credit bureau has been selling sensitive consumer PII data to a Vietnam-based identity theft service, albeit inadvertently. See krebsonsecurity.com

In March 2012, Experian acquired data broker firm Court Ventures that mistakenly and reportedly started the illicit relationship with the criminal who posed as a private investigator. According to Krebs’ investigation, Experian reportedly kept the relationship alive for a year after its acquisition. The Vietnamese criminal has since been arrested.

So what does all this mean for enterprises that rely on PII (Personally Identifiable Information) data and KBA (Knowledge Based Authentication) processes and for the rest of us mortals whose data are being collected?

a) Identity proofing and know-your-customer processes that depend on data aggregators’ mass troves of sensitive PII information to validate a prospect or customer’s identity are compromised and relatively easily beaten by criminals.

For a fee, determined criminals can electronically impersonate any one they want to at organizations that rely on data matching and knowledge based authentication served up by the credit bureaus or other data brokers/aggregators in this ecosystem.

b) Identity proofing processes used by the data brokers themselves are also fallible, as evidenced in this case. This means that clever criminals can pose as legitimate businesses and gain access to these most sensitive services. If the data brokers can’t prove identities properly, then who can?

c) As consumers, we just have to realize that there is no data privacy anymore. Our life history and records on major financial transactions are for sale in the underground.

d) Regulators and legislators are years away from getting on top of these leaky faucets. And given the dysfunction in Washington, they could be decades away.

What’s the alternative?

Frankly there is no easy alternative for identity proofing. We outline some of the steps that can be taken in G00239627 “The Four Layers of Identity Proofing Lead to Stronger Identity Verification” but this requires that enterprises stitch together several niche solutions. Most of the banks we speak with who are using data brokerage services for identity proofing are planning to wean themselves off these compromised services, especially the KBA processes whose systematic compromise was exposed by Krebs a few weeks ago. See our previous blog on the KBA breach and also krebsonsecurity.com

But because of the ‘no-easy-alternative’ situation, government agencies, financial services, health care and companies in other sectors are likely to continue to rely on data brokerage services, at least partially, for years to come – knowing full well that that this reliance may come back to bite them financially.

And what about us consumers? Should we just hope for the best? The truth is it’s beyond our control and all we can do is check our financial records as often as we can so that we can report a problem as quickly as possible before too much damage is done.

So let’s just keep our fingers crossed. And expect more such revelations of similar breaches in the years to come.


Category: Uncategorized     Tags:

6 responses so far ↓

  • 1 Scammer dupes Experian into selling Social Security numbers | The Last Watchdog   October 21, 2013 at 2:08 pm

    […] consumers, we just have to realize that there is no data privacy anymore,” Litan writes in her blog. “Our life history and records on major financial transactions are for sale in the […]

  • 2 Luis Saiz   October 21, 2013 at 5:21 pm

    But customers don’t want a physicaly secure ID with RA under the governement, they deserve this. Today you cannot base the security of anything on the confidentiality of piece of info SSN or PAN

    By the way, my National ID: 17441874P ;-)

  • 3 Alexander Broman   October 22, 2013 at 3:52 am

    Hello Dear i am totally appreciate with your post it is a good as it sounds thanks for the sharing of this important article.

  • 4 Experian Identity Proofing Services Compromised; more bad news on the Data Broker front | Avivah Litan | vorobetz   October 22, 2013 at 11:13 am

    […] http://blogs.gartner.com/avivah-litan/2013/10/21/experian-identity-proofing-services-compromised-mor… […]

  • 5 a hannan   October 22, 2013 at 12:37 pm

    When we phoned Experian for our free annual credit report, we were told we had already received it and would have to pay for a second one. We had requested the report because 3 different credit card companies had sent out new cards to a new address 450 miles from our address. Thankfully, the card companies had e mailed us a confirmation of the change of address and the addition of a new name to our accounts. We were able to have the c/a reverted and the new cards cancelled, but it has been a time consuming nightmare. We believe it all started with Experian sending our credit reports to this thief who then had all the info he needed to insert himself into our credit cards. Too bad we can’t sue them for this carelessness.

  • 6 Avivah Litan   October 23, 2013 at 10:50 pm

    I feel for your aggravation. Lucky you caught it before the damage was really hard to reverse. It must have been awful and at a minimum you should be paid for all your precious time spent correcting their mistakes.