Gartner Blog Network

Experian Identity Proofing Services Compromised; more bad news on the Data Broker front

by Avivah Litan  |  October 21, 2013  |  6 Comments

More bad news on the data broker front. Security blogger Brian Krebs revealed today that Experian, a major U.S. credit bureau has been selling sensitive consumer PII data to a Vietnam-based identity theft service, albeit inadvertently. See

In March 2012, Experian acquired data broker firm Court Ventures that mistakenly and reportedly started the illicit relationship with the criminal who posed as a private investigator. According to Krebs’ investigation, Experian reportedly kept the relationship alive for a year after its acquisition. The Vietnamese criminal has since been arrested.

So what does all this mean for enterprises that rely on PII (Personally Identifiable Information) data and KBA (Knowledge Based Authentication) processes and for the rest of us mortals whose data are being collected?

a) Identity proofing and know-your-customer processes that depend on data aggregators’ mass troves of sensitive PII information to validate a prospect or customer’s identity are compromised and relatively easily beaten by criminals.

For a fee, determined criminals can electronically impersonate any one they want to at organizations that rely on data matching and knowledge based authentication served up by the credit bureaus or other data brokers/aggregators in this ecosystem.

b) Identity proofing processes used by the data brokers themselves are also fallible, as evidenced in this case. This means that clever criminals can pose as legitimate businesses and gain access to these most sensitive services. If the data brokers can’t prove identities properly, then who can?

c) As consumers, we just have to realize that there is no data privacy anymore. Our life history and records on major financial transactions are for sale in the underground.

d) Regulators and legislators are years away from getting on top of these leaky faucets. And given the dysfunction in Washington, they could be decades away.

What’s the alternative?

Frankly there is no easy alternative for identity proofing. We outline some of the steps that can be taken in G00239627 “The Four Layers of Identity Proofing Lead to Stronger Identity Verification” but this requires that enterprises stitch together several niche solutions. Most of the banks we speak with who are using data brokerage services for identity proofing are planning to wean themselves off these compromised services, especially the KBA processes whose systematic compromise was exposed by Krebs a few weeks ago. See our previous blog on the KBA breach and also

But because of the ‘no-easy-alternative’ situation, government agencies, financial services, health care and companies in other sectors are likely to continue to rely on data brokerage services, at least partially, for years to come – knowing full well that that this reliance may come back to bite them financially.

And what about us consumers? Should we just hope for the best? The truth is it’s beyond our control and all we can do is check our financial records as often as we can so that we can report a problem as quickly as possible before too much damage is done.

So let’s just keep our fingers crossed. And expect more such revelations of similar breaches in the years to come.


Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Thoughts on Experian Identity Proofing Services Compromised; more bad news on the Data Broker front

  1. […] consumers, we just have to realize that there is no data privacy anymore,” Litan writes in her blog. “Our life history and records on major financial transactions are for sale in the […]

  2. Luis Saiz says:

    But customers don’t want a physicaly secure ID with RA under the governement, they deserve this. Today you cannot base the security of anything on the confidentiality of piece of info SSN or PAN

    By the way, my National ID: 17441874P 😉

  3. Hello Dear i am totally appreciate with your post it is a good as it sounds thanks for the sharing of this important article.

  4. a hannan says:

    When we phoned Experian for our free annual credit report, we were told we had already received it and would have to pay for a second one. We had requested the report because 3 different credit card companies had sent out new cards to a new address 450 miles from our address. Thankfully, the card companies had e mailed us a confirmation of the change of address and the addition of a new name to our accounts. We were able to have the c/a reverted and the new cards cancelled, but it has been a time consuming nightmare. We believe it all started with Experian sending our credit reports to this thief who then had all the info he needed to insert himself into our credit cards. Too bad we can’t sue them for this carelessness.

  5. Avivah Litan says:

    I feel for your aggravation. Lucky you caught it before the damage was really hard to reverse. It must have been awful and at a minimum you should be paid for all your precious time spent correcting their mistakes.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.