{"id":5321,"date":"2021-04-30T14:18:15","date_gmt":"2021-04-30T18:18:15","guid":{"rendered":"https:\/\/solutionsreview.com\/identity-management\/?p=5321"},"modified":"2021-04-30T14:18:15","modified_gmt":"2021-04-30T18:18:15","slug":"the-experian-data-leak-what-you-need-to-know","status":"publish","type":"post","link":"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/","title":{"rendered":"The Experian Data Leak: What You Need to Know"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-4625\" src=\"https:\/\/solutionsreview.com\/identity-management\/files\/2019\/11\/Firemon-Cloud-Security-modded.jpg\" alt=\"The Experian Data Leak: What You Need to Know\" width=\"800\" height=\"439\" srcset=\"https:\/\/solutionsreview.com\/identity-management\/files\/2019\/11\/Firemon-Cloud-Security-modded.jpg 800w, https:\/\/solutionsreview.com\/identity-management\/files\/2019\/11\/Firemon-Cloud-Security-modded-300x165.jpg 300w, https:\/\/solutionsreview.com\/identity-management\/files\/2019\/11\/Firemon-Cloud-Security-modded-768x421.jpg 768w, https:\/\/solutionsreview.com\/identity-management\/files\/2019\/11\/Firemon-Cloud-Security-modded-492x270.jpg 492w, https:\/\/solutionsreview.com\/identity-management\/files\/2019\/11\/Firemon-Cloud-Security-modded-148x81.jpg 148w, https:\/\/solutionsreview.com\/identity-management\/files\/2019\/11\/Firemon-Cloud-Security-modded-328x180.jpg 328w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Experian, one of the Big-Three consumer credit bureaus in the United States, recently disclosed closing a vulnerability on a partner website that caused a data leak. The vulnerability in question allowed anyone to look up the credit score of tens of millions of Americans by simply supplying the victim\u2019s name and mailing address.\u00a0<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">According to <\/span><a href=\"https:\/\/krebsonsecurity.com\/2021\/04\/experian-api-exposed-credit-scores-of-most-americans\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">KrebsonSecurity.com<\/span><\/a><span style=\"font-weight: 400\">, independent security researcher Bill Demirkapi discovered the data leak. While consulting a student loan vendor, he discovered it used an Experian Application Programming Interface (API) that did not require any form of authentication. Moreover, Demirkapi suspects that hundreds of other lending companies might use the Experian API.\u00a0<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">If Demirkapi\u2019s allegations prove true, Experian\u2019s announcement of closing a single vulnerability might not solve the problem. It remains unclear how the vulnerability may be or how many third-parties may have accessed it. Experian denies the possibility of a systematic vulnerability.\u00a0<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">This is not the first major cybersecurity issue caused by the consumer credit bureaus. Fellow Big-Three bureau <\/span><a href=\"https:\/\/solutionsreview.com\/identity-management\/equifax-update-2-4-million-americans-affected-breach\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Equifax<\/span><\/a><span style=\"font-weight: 400\"> is responsible for one of the worst breaches in cybersecurity history.<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">We consulted <a href=\"https:\/\/suggestionengine.solutionsreview.com\/buyer\/signup\" target=\"_blank\" rel=\"noopener\">cybersecurity<\/a> experts for their perspectives on the Experian Data Leak.\u00a0<\/span><\/p>\n<div class=\"widget\"><div class=\"aside-card\">\t\t\t<div class=\"textwidget\"><p><a class=\"iam-inject\" href=\"https:\/\/suggestionengine.solutionsreview.com\/buyer\/signup\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-1682\" title=\"\" src=\"https:\/\/solutionsreview.com\/identity-management\/files\/2021\/02\/Identity_Suggestion_Engine_Horiz_800.gif\" alt=\"IAM Solution Suggestion Engine\" width=\"800\" height=\"100\" \/><\/a><\/p>\n<\/div>\n\t\t<\/div><\/div>\n<h2 style=\"text-align: justify\"><b>The Experian Data Leak<\/b><span style=\"font-weight: 400\">\u00a0<\/span><\/h2>\n<h3 style=\"text-align: justify\"><b>Nathanael Coffing<\/b><\/h3>\n<p style=\"text-align: justify\"><i><span style=\"font-weight: 400\">Nathan<\/span><\/i><i><span style=\"font-weight: 400\">a<\/span><\/i><i><span style=\"font-weight: 400\">el Coffing is Co-Founder and CSO of <\/span><\/i><a href=\"https:\/\/cloudentity.com\/\" target=\"_blank\" rel=\"noopener\"><i><span style=\"font-weight: 400\">Cloudentity.<\/span><\/i><\/a><i><span style=\"font-weight: 400\">\u00a0<\/span><\/i><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">\u201cThis API security flaw leaked tens of millions of Americans\u2019 credit scores and left Experian customers\u2019 personal information vulnerable to fraud. Similar to the Walgreens data breach that occurred last year, this is a prime example of the importance of using identity and authorization as the baseline for security best practices at the API level.\u00a0<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Without secure identity and authorization controls placed on the API, a bad actor can easily obtain access to a user\u2019s data simply by programmatically using names and addresses. While this vulnerability was promptly resolved after it was identified, it is likely that other companies using similar APIs have also leaked users\u2019 credit scores. To prevent data leaks of this nature, companies must implement context-based, granular authorization in their APIs coupled with a Zero Trust approach to identity and access management. With these proactive security guardrails, companies can ensure users are properly authorized prior to accessing any sensitive information.\u201d<\/span><\/p>\n<h3 style=\"text-align: justify\"><b>Michael Isbitski<\/b><\/h3>\n<p style=\"text-align: justify\"><i><span style=\"font-weight: 400\">Michael Isbitski is a Technical Evangelist at <\/span><\/i><a href=\"https:\/\/salt.security\/\" target=\"_blank\" rel=\"noopener\"><i><span style=\"font-weight: 400\">Salt Security<\/span><\/i><\/a><i><span style=\"font-weight: 400\">.<\/span><\/i><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">\u201cThe leaky API was stood up by Experian so that lending partners could verify the creditworthiness of an individual and potential credit applicant. The data returned by the API included the person\u2019s FICO score and impacting risk factors on creditworthiness such as high credit utilization or too many open revolving accounts.<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">To authenticate the individual, the public API required only first name, last name, street address, zip code, and birthdate. Unfortunately, this last authentication factor was not validated properly, and the check could be bypassed by using all zeros for the birth date.\u00a0<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Even if an individual\u2019s birthday was being properly validated, the authentication factors that were being used were weak. Much of the authentication material that Experian was using is public or semi-public as a result of prior security breaches at other service providers.\u00a0<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">It&#8217;s not clear if this weakness was exploited by other attackers beyond the security researcher&#8217;s probing and disclosure. Experian confirmed only that they were able to uncover the security researcher\u2019s activity in their backend logs after the problem was disclosed to them. An API that uses weak authentication like this could potentially be enumerated and scraped to obtain large amounts of the private, credit-related data.<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">From the perspective of the consumer, a credit freeze is always a good idea to protect themselves from identity and credit fraud. If an individual had a credit freeze in place, Experian\u2019s API returned no data for that person.\u201d<\/span><\/p>\n<p style=\"text-align: justify\"><div class=\"hr hr\"><\/div><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Thanks to these experts for their time and expertise on the Experian Data Leak. For more, check out the Identity Management Buyer\u2019s Guide or the <a href=\"https:\/\/suggestionengine.solutionsreview.com\/buyer\/signup\" target=\"_blank\" rel=\"noopener\">Solutions Suggestion Engine<\/a>.\u00a0<\/span><\/p>\n<div class=\"widget\"><div class=\"aside-card\">\t\t\t<div class=\"textwidget\"><p><a class=\"iam-inject\" href=\"https:\/\/suggestionengine.solutionsreview.com\/buyer\/signup\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-1682\" title=\"\" src=\"https:\/\/solutionsreview.com\/identity-management\/files\/2021\/02\/Identity_Suggestion_Engine_Horiz_800.gif\" alt=\"IAM Solution Suggestion Engine\" width=\"800\" height=\"100\" \/><\/a><\/p>\n<\/div>\n\t\t<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Experian, one of the Big-Three consumer credit bureaus in the United States, recently disclosed closing a vulnerability on a partner website that caused a data leak. The vulnerability in question allowed anyone to look up the credit score of tens of millions of Americans by simply supplying the victim\u2019s name and mailing address.\u00a0 According to [&hellip;]<\/p>\n","protected":false},"author":41,"featured_media":4625,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[5,1],"tags":[142,175,125,1013,16,1598,1674,1204,76,425,70,1675],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The Experian Data Leak: What Your Business Needs to Know<\/title>\n<meta name=\"description\" content=\"Experian, one of the Big-Three consumer credit bureaus in the United States, disclosed closing a vulnerability on a partner website that caused a data leak.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ben Canner\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/\",\"url\":\"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/\",\"name\":\"The Experian Data Leak: What Your Business Needs to Know\",\"isPartOf\":{\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/solutionsreview.com\/identity-management\/files\/2019\/11\/Firemon-Cloud-Security-modded.jpg\",\"datePublished\":\"2021-04-30T18:18:15+00:00\",\"dateModified\":\"2021-04-30T18:18:15+00:00\",\"author\":{\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/#\/schema\/person\/357f925262827fcf840b4341920a1541\"},\"description\":\"Experian, one of the Big-Three consumer credit bureaus in the United States, disclosed closing a vulnerability on a partner website that caused a data leak.\",\"breadcrumb\":{\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/#primaryimage\",\"url\":\"https:\/\/solutionsreview.com\/identity-management\/files\/2019\/11\/Firemon-Cloud-Security-modded.jpg\",\"contentUrl\":\"https:\/\/solutionsreview.com\/identity-management\/files\/2019\/11\/Firemon-Cloud-Security-modded.jpg\",\"width\":800,\"height\":439,\"caption\":\"The Experian Data Leak: What You Need to Know\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/solutionsreview.com\/identity-management\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The Experian Data Leak: What You Need to Know\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/#website\",\"url\":\"https:\/\/solutionsreview.com\/identity-management\/\",\"name\":\"Identity and Access Management Solutions | Solutions Review\",\"description\":\"Evaluating Enterprise IAM Software, Identity Governance &amp; Access Control Tools.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/solutionsreview.com\/identity-management\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/#\/schema\/person\/357f925262827fcf840b4341920a1541\",\"name\":\"Ben Canner\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/63f68345052a446ce0cc9c802dd3f373?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/63f68345052a446ce0cc9c802dd3f373?s=96&d=mm&r=g\",\"caption\":\"Ben Canner\"},\"description\":\"Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.\",\"url\":\"https:\/\/solutionsreview.com\/identity-management\/author\/bcanner\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The Experian Data Leak: What Your Business Needs to Know","description":"Experian, one of the Big-Three consumer credit bureaus in the United States, disclosed closing a vulnerability on a partner website that caused a data leak.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/","twitter_misc":{"Written by":"Ben Canner","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/","url":"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/","name":"The Experian Data Leak: What Your Business Needs to Know","isPartOf":{"@id":"https:\/\/solutionsreview.com\/identity-management\/#website"},"primaryImageOfPage":{"@id":"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/#primaryimage"},"image":{"@id":"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/#primaryimage"},"thumbnailUrl":"https:\/\/solutionsreview.com\/identity-management\/files\/2019\/11\/Firemon-Cloud-Security-modded.jpg","datePublished":"2021-04-30T18:18:15+00:00","dateModified":"2021-04-30T18:18:15+00:00","author":{"@id":"https:\/\/solutionsreview.com\/identity-management\/#\/schema\/person\/357f925262827fcf840b4341920a1541"},"description":"Experian, one of the Big-Three consumer credit bureaus in the United States, disclosed closing a vulnerability on a partner website that caused a data leak.","breadcrumb":{"@id":"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/#primaryimage","url":"https:\/\/solutionsreview.com\/identity-management\/files\/2019\/11\/Firemon-Cloud-Security-modded.jpg","contentUrl":"https:\/\/solutionsreview.com\/identity-management\/files\/2019\/11\/Firemon-Cloud-Security-modded.jpg","width":800,"height":439,"caption":"The Experian Data Leak: What You Need to Know"},{"@type":"BreadcrumbList","@id":"https:\/\/solutionsreview.com\/identity-management\/the-experian-data-leak-what-you-need-to-know\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/solutionsreview.com\/identity-management\/"},{"@type":"ListItem","position":2,"name":"The Experian Data Leak: What You Need to Know"}]},{"@type":"WebSite","@id":"https:\/\/solutionsreview.com\/identity-management\/#website","url":"https:\/\/solutionsreview.com\/identity-management\/","name":"Identity and Access Management Solutions | Solutions Review","description":"Evaluating Enterprise IAM Software, Identity Governance &amp; Access Control Tools.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/solutionsreview.com\/identity-management\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/solutionsreview.com\/identity-management\/#\/schema\/person\/357f925262827fcf840b4341920a1541","name":"Ben Canner","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/solutionsreview.com\/identity-management\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/63f68345052a446ce0cc9c802dd3f373?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/63f68345052a446ce0cc9c802dd3f373?s=96&d=mm&r=g","caption":"Ben Canner"},"description":"Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.","url":"https:\/\/solutionsreview.com\/identity-management\/author\/bcanner\/"}]}},"_links":{"self":[{"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/posts\/5321"}],"collection":[{"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/comments?post=5321"}],"version-history":[{"count":0,"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/posts\/5321\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/media\/4625"}],"wp:attachment":[{"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/media?parent=5321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/categories?post=5321"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/tags?post=5321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}