Security Expert Sounds The Alarm On Experian Credit Account Hijackings
Experian just can't seem to catch a break lately, as the credit bureau has found itself at the center of yet another security kerfuffle — something you'd think one of the three biggest credit monitoring companies in the world would want to maybe try and avoid. Between a database hack that compromised the information of 15 million T-Mobile customers and being accused of making it too easy for the wrong person to get ahold of a credit freeze PIN, Experian hasn't had the best track record. Now, judging by a report from Krebs on Security, nothing has changed.
In fact, the report details multiple accounts of users who have allegedly had their Experian profiles hijacked through what's believed to be a simple combination of public research and lax verification practices. In at least a couple of instances, it appears that malicious parties were able to quickly assume control by simply making a new Experian account using the target's social security number (likely acquired in a data breach, possibly even one of Experian's breaches). That, and spending some time looking up answers to security questions, many of which are said to be a little too easy to research online.
What can you do to protect your data?
Unfortunately, there isn't much that can be done to prevent such an account hijacking from the user level. Experian claims these were likely isolated incidents and that there's more verification happening behind the scenes, though that doesn't address the issue of people having their accounts taken over via new account creation in the first place.
In one instance, an affected user received an email stating that the associated email had been changed, which prompted a call to customer service and a lot of time spent trying to sort everything out. But the other user reported no such notification from Experian, and instead only discovered the takeover when a completely separate credit monitoring service issued a warning.
So unless and until Experian changes its account security management to allow for multi-factor authentication across the board, your best bet is probably to just keep an eye on your account manually. Check in every so often to make sure your sign-in details are the same, and that you can actually access your profile — and if anything seems off or you find yourself locked out, get in touch with Experian immediately.