We are in the midst of National Protect Your Identity Week, and credit reporting giant Experian is kicking off the festivities with some ID theft prevention tips, such as signing up for Experian’s own credit monitoring service at a cost of $14.95 a month. Never mind that the Consumer Financial Protection Bureau has advised consumers that paying for credit monitoring is unnecessary and lower-cost alternatives exist—preying on fear is good business for Experian. After all, there are so many identity thieves out there, and some of them acquired Americans’ valuable personal information from. . . Experian.
An article today by former Washington Post reporter Brian Krebs reveals that the same company cashing in on unnecessary credit monitoring products to catch ID theft also allowed an identity theft website, Superget.info, to buy private information from its databases. According to Krebs:
An identity theft service that sold Social Security and drivers license numbers — as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus… the proprietors of Superget.info had gained access to Experian’s databases by posing as a U.S.-based private investigator. In reality… the individuals apparently responsible for running Superget.info were based in Vietnam.
There is no evidence that Experian deliberately peddled customers’ personal data to criminals. Yet Marc Martin, CEO of a company that partnered with the Experian subsidiary, suggested to Krebs that Experian had clear warning signs that their customer was not who he claimed to be. One sign? The supposed American private investigator paid Experian using wire transfers from Singapore. One might think that would raise a red flag or two with a company that bills itself as expert on data security. Yet Experian took no action until the U.S. Secret Service informed the company its data was being used by criminals.
The Fair Credit Reporting Act regulates who can acquire a consumer report from a credit reporting agency like Experian, but breaches like this one suggest penalties and protections may not be substantial enough to motivate companies to closely screen who buys their data. After all, it’s a sweet business, selling consumer data to identity thieves on one hand and a monitoring service to alert frightened consumers to identity theft on the other. And with the current Congress unlikely to give regulators even the most commonsense new tools to crack down on the industry, this may not be the last we hear of this type of lucrative and exploitative business operation.