Credit reporting companies

The credit reporting bureau Experian is facing a backlash for its recent failures to protect customer data.

An undergraduate student at Rochester Institute of Technology named Bill Demirkapi discovered the most recent security failure. The problem was located on the Experian website, which provided anyone’s credit score when a full name and street address was entered. The issue was first reported by the cybersecurity site KrebsOnSecurity.

Demirkapi believes this loophole may indicate cause for more general concern about the way Experian protects consumer information. The company has suffered data breaches in the past.

While Experian claims to have fixed this particular issue, the bigger issue remains: credit reporting bureaus have access to highly sensitive consumer data, and a virtual parade of cybersecurity lapses points to the need for tighter cybersecurity practices at the big three credit reporting companies.

Significant data breaches at credit score bureaus include:

Experian, 2020: A data breach impacted 24 million Experian customers, plus almost 800,000 businesses in South Africa. The perpetrators were quickly apprehended before they could leverage the information.

TransUnion, 2019: The credit reporting bureau reported the data compromise of 37,000 Canadians, however the nature and content of that compromise are not clear.

Equifax, 2017: A data breach impacted almost 150 million Equifax customers, who subsequently reported identity-related crimes using that data. The information included driver’s licensescredit card, and Social Security numbers. Equifax was dinged more than $380 million as part of a class-action lawsuit, though it’s currently appealing the ruling.

Experian, 2013 – 2015: Hackers stole a trove of information from T-Mobile customers whose data had passed through Experian to check credit there and open a new account. The data included addresses, birthdays, and even Social Security numbers. In 2018, Experian settled a class-action lawsuit for $22 million.


It is impossible to protect yourself against a third-party data breach. When hackers successfully attack multinational corporations and go undetected for months or even years at a time, the consumer impact can be dire.

You can do everything right and still be compromised. It doesn’t always matter how tight a grip you keep on personal data—systems are interconnected, and a single weak link anywhere in the chain can impact you.

Though no solution is perfect, there are some measures you can take to improve your security.

    • Subscribe to alerts: Companies like Norton and Identity Guard offer threat identification services that can detect and alert you to breaches. Remember, part of why these attacks can get so bad is they go undetected for long periods. Many companies now offer insurance policies that can help you recoup lost money, and even help you through the reporting and recovery process.
    • Use a VPN that you pay for: Having a VPN can make it much harder to steal your data and prevent identity theft. It does this through encryption, making life difficult for malicious actors. Keep in mind, VPNs are great for logging onto suspicious WiFi systems or transferring information between devices, but these services can’t prevent data theft on an institutional level. If a company is hacked, you’re essentially out of luck. If the VPN is free, chances are good that your information is being sold.
    • Implement credit freezes: It’s a good idea to freeze your credit when you are not using it. It’s a free service offered by the major bureaus that can help prevent new account and account takeover fraud. You can also set up a fraud alert for additional protection. In both cases, you need to grant access before anyone can see your credit report.
    • Do some background research before giving your personal information to a company or service: If they have a cool offering, but they also have a history of cybersecurity issues you should look for something similar elsewhere.
    • Follow the three Ms: 
      • Minimize your risk: Don’t provide any more information than necessary to third-parties; be especially careful with sensitive data such as your Social Security number. Shred any receipts, credit offers or expired credit cards that can be used to steal your identity or open accounts in your name.
      • Monitor your accounts: Review your credit reports regularly to see if any new lines of credit have been opened in your name. Also review bank accounts and credit cards for unauthorized activity.
      • Manage the damage: If your identity or data have been stolen, act quickly. File an identity theft affidavit with the FTC and law enforcement, and the fraud department at your bank and credit card issuers.