Experian's Fundamental Breach of Data Protection Act 1998
VictimOfImpersonation
Posts: 334 Forumite
In another thread, which discusses an MSE news story about worrying revelations on security of personal data at Compare The Market (an organisation which itself will have close links to CRAs by virtue of it collecting personal data and constantly causing ID and credit checks on our files), I have got into a surprising ding dong with Experian Company Representative. According to the signature, he is Head Of Consumer Affairs at Experian (UK I assume and not worldwide - they are a giant worldwide CRA).
He does post at weekends when it suits him, but he has gone strangely quiet since I told him Experian were breaking the law.
I have discovered that Experian tolerate false data on our records to the extent that if you have a good credit history, it seems a fraudster can use an incorrect date of birth to secure credit in your name with the barest name and address details, and Experian will accept that data and simply mark your file with a negative mark because a new credit agreement is registered in your name.
They will not alert you to false date of birth data and it seems they will not alert the bank who gave them the data either because the bank will just carry on like normal same as the CRA until someone says "Hey, what are you playing at?"
Furthermore, when I point out that there is an obvious date of birth mismatch, Experian Company Representative says date of birth is not the only identifying data they use :mad: . What planet is he on ? Those of us that understand relational databases have to wonder whether he has any skill in the realm of data science at all ?
My Experian CRA record has tens of entries recorded over decades all with the correct date of birth, yet now it has one two month old one with a totally incorrect date of birth - the fraudulent credit agreement.
I am an established case with very consistent personal data. If it can happen to my data record at Experian, it can happen to thousands.
And the official Experian spokesperson on MSE (yes they have one surprise surprise) says date of birth is not the only identifying factor
. He invites me to send an email to them to show them what's wrong with my records. I have declined because what I have discovered is so glaringly incorrect that it should never have made it past an input filter into the database.
I have warned him that until they conduct a data clean up on their whole database and discover these dates of birth mismatches (which is an extremely easy task) Experian is breaking the law. Whether he is heeding my advice or not we don't know, because he has gone quiet for a day.
I think as a responsible officer of Experian refusing to deal with the fundamental nature of the breach and treating it as if it is just a possible glitch on my file only which I need to tell him about, he may himself also be personally breaking the law.
Sad to say but unless they get their finger out, Experian and their representative appear to have acted recklessly and continue to do so in their obtention and holding of personal data in our names and not heeding warnings to go look for mismatches and manage them correctly.
I just cannot for the life of me understand how they can so nonchalantly obtain and hold any data against anyone's name when the date of birth they have obtained is wrong. It is not their business to simply be a repository of all transacted data that might be in our names, safeguarding it for ever in case there has been a typo by the people that gave it to them, and the rest of it may be ok. It is their business to reject incorrect data, especially when a fundamental input filter like date of birth shows the data cannot stand.
All such fundamental mismatches should be quarantined and then verified/rectified with the source trying to input it or it must be destroyed. Whether that quarantine should be even be at the CRA or at the source is another very big question.
Date of Birth is so fundamental to personal data processing.
In my case this false data has stood for two months in their database.
However many more cases are there like this ?
I have told Experian I can tell them exactly if they let me query their database.
If I can bloody well tell them how to do it with a standard database query that a 12 year old could do, then why are they doing nothing to clean up their act?
I have another example of where Experian's personal data protection may be flawed, and that relates to gaining access to full online credit reports. I know that CRAs themselves are constantly under attack to release our data to fraudsters who would use it as an aide memoire to launch attacks. I have discovered that with surprisingly little security data being verified, in certain somewhat surprising circumstances Experian can be persuaded by phone to delete previous accounts or previous failed registrations where documentary evidence was demanded but never provided. If it was demanded previously then how is it suddenly not necessary on the strength of a phone call a year or two later? The inconsistency is worrying.
I also have a fear that they might then allow a brand new squeaky clean registration with only 3 out of four registration security questions correct. The security questions are tough enough (if you dont already have a copy of a previous CRA report to crib from) but surely they must ALL be answered correctly to get access to a spanking new report?
In my case a version of my credit report is already in the hands of fraudsters courtesy of another CRA with a security hole at the time, CallCredit now known more by its trading name Noddle.
Running CRAs like this is not the way to protect us - this way we are all made more vulnerable.
What on earth is happening? We are also very clearly being badly let down big time by the Information Commissioners Office. Do we have an Official ICO Representative on MSE?
He does post at weekends when it suits him, but he has gone strangely quiet since I told him Experian were breaking the law.
I have discovered that Experian tolerate false data on our records to the extent that if you have a good credit history, it seems a fraudster can use an incorrect date of birth to secure credit in your name with the barest name and address details, and Experian will accept that data and simply mark your file with a negative mark because a new credit agreement is registered in your name.
They will not alert you to false date of birth data and it seems they will not alert the bank who gave them the data either because the bank will just carry on like normal same as the CRA until someone says "Hey, what are you playing at?"
Furthermore, when I point out that there is an obvious date of birth mismatch, Experian Company Representative says date of birth is not the only identifying data they use :mad: . What planet is he on ? Those of us that understand relational databases have to wonder whether he has any skill in the realm of data science at all ?
My Experian CRA record has tens of entries recorded over decades all with the correct date of birth, yet now it has one two month old one with a totally incorrect date of birth - the fraudulent credit agreement.
I am an established case with very consistent personal data. If it can happen to my data record at Experian, it can happen to thousands.
And the official Experian spokesperson on MSE (yes they have one surprise surprise) says date of birth is not the only identifying factor
. He invites me to send an email to them to show them what's wrong with my records. I have declined because what I have discovered is so glaringly incorrect that it should never have made it past an input filter into the database.I have warned him that until they conduct a data clean up on their whole database and discover these dates of birth mismatches (which is an extremely easy task) Experian is breaking the law. Whether he is heeding my advice or not we don't know, because he has gone quiet for a day.
I think as a responsible officer of Experian refusing to deal with the fundamental nature of the breach and treating it as if it is just a possible glitch on my file only which I need to tell him about, he may himself also be personally breaking the law.
Sad to say but unless they get their finger out, Experian and their representative appear to have acted recklessly and continue to do so in their obtention and holding of personal data in our names and not heeding warnings to go look for mismatches and manage them correctly.
I just cannot for the life of me understand how they can so nonchalantly obtain and hold any data against anyone's name when the date of birth they have obtained is wrong. It is not their business to simply be a repository of all transacted data that might be in our names, safeguarding it for ever in case there has been a typo by the people that gave it to them, and the rest of it may be ok. It is their business to reject incorrect data, especially when a fundamental input filter like date of birth shows the data cannot stand.
All such fundamental mismatches should be quarantined and then verified/rectified with the source trying to input it or it must be destroyed. Whether that quarantine should be even be at the CRA or at the source is another very big question.
Date of Birth is so fundamental to personal data processing.
In my case this false data has stood for two months in their database.
However many more cases are there like this ?
I have told Experian I can tell them exactly if they let me query their database.
If I can bloody well tell them how to do it with a standard database query that a 12 year old could do, then why are they doing nothing to clean up their act?
I have another example of where Experian's personal data protection may be flawed, and that relates to gaining access to full online credit reports. I know that CRAs themselves are constantly under attack to release our data to fraudsters who would use it as an aide memoire to launch attacks. I have discovered that with surprisingly little security data being verified, in certain somewhat surprising circumstances Experian can be persuaded by phone to delete previous accounts or previous failed registrations where documentary evidence was demanded but never provided. If it was demanded previously then how is it suddenly not necessary on the strength of a phone call a year or two later? The inconsistency is worrying.
I also have a fear that they might then allow a brand new squeaky clean registration with only 3 out of four registration security questions correct. The security questions are tough enough (if you dont already have a copy of a previous CRA report to crib from) but surely they must ALL be answered correctly to get access to a spanking new report?
In my case a version of my credit report is already in the hands of fraudsters courtesy of another CRA with a security hole at the time, CallCredit now known more by its trading name Noddle.
Running CRAs like this is not the way to protect us - this way we are all made more vulnerable.
What on earth is happening? We are also very clearly being badly let down big time by the Information Commissioners Office. Do we have an Official ICO Representative on MSE?
0
Comments
-
....And breathe!0
-
VictimOfImpersonation wrote: »He invites me to send an email to them to show them what's wrong with my records. I have declined because what I have discovered is so glaringly incorrect that it should never have made it past an input filter into the database.
So you beleive there is an error on your record but refuse to state what that error is.VictimOfImpersonation wrote: »I have warned him that until they conduct a data clean up on their whole database and discover these dates of birth mismatches (which is an extremely easy task) Experian is breaking the law.
Its not your job to warn him. Theres a nice person who works for the ICO who has that job. Your job is to tell the company what is incorrect, the company then rectifies it or you moan to the ICO.VictimOfImpersonation wrote: »Experian and their representative appear to have acted recklessly and continue to do so in their obtention and holding of personal data in our names and not heeding warnings to go look for mismatches and manage them correctly.
What warning. You refuse to communicate with the company involved. And I'll quote youVictimOfImpersonation wrote: »He invites me to send an email to them to show them what's wrong with my records. I have declinedVictimOfImpersonation wrote: »I have told Experian I can tell them exactly if they let me query their database.
So now you want unhindered access to the companys database rather that tell the company what is wrong.VictimOfImpersonation wrote: »We are also very clearly being badly let down big time by the Information Commissioners Office
So have you raised this particular issue with the ICO yet, or are you just spouting?0 -
Afraid to say that came over as a rant. My DoB is my business, I've never given out my correct DoB to any vendor and it has never prevented me from getting credit.
The beauty of this is that the only folk who really know it (apart from family members, NHS and the DVLA) the rest can go swivel as it is an irrelevance. It is they key to my personal ID and I don't leave my keys exposed to anyone, and that includes CRA's.
Rather than seek correction and validation, enjoy the fact they haven't a clue.
I certainly do.0 -
What am I spouting dannny? Fire and brimstone? Pure vitriol ? Maybe so.
But I am not just spouting, am I?
Buzby I found your declaration the other day of how you mess with the system quite amusing, but you are pretty unique in managing your affairs that way so you surely aren't suggesting that the public generally should sit back and let it all flow over them?
Experian invite me to "shore up" my (crumbling?) identity by making it easy for them to deal with it and then forget it via their usual procedures.
I say no.
They know the breach - I have made it clear. They have noted a new credit agreement against my file with an incorrect date of birth.
I have absolutely no doubt whatsoever that if Experian wished to sort my file out or even sort me out they would know exactly who I was without me making a single further post.
I am not posting for myself. I have the ability to protect my own identity because I am lucky enough to have acquired the skills to get over any stupid problems.
Most people do not have those skills. They get told to follow procedures. They have no idea how these things happen, they just want to be told their data is fixed and safe again.
Well, sorry, their data is not safe. I have multiple examples to prove it. One might be unfortunate. Several is worrying in the extreme. Fraudsters are crawling all over CRAs to find a way in and they are in and CRAs are in denial that they let them in.
It seems they wont even do a whole database dob mismatch query to even start to investigate.
Here's the test that you will read about here:
I shall give no more information to Experian on who I am or how to fix this, but I expect it to be fixed very shortly. I will log in daily and report whether the erroneous record has been deleted and report back here.
The way I see it they have three ways to meet the test:- They could use the spook methods at their disposal to identify me and then just fix my record alone.
- They could do the date of birth mismatch query, and then quickly shake out obvious ones like mine on the basis of the mismatch only occurring recently and sticking out like a sore thumb and fix that subset of corrupt data only.
- They could do a proper job and quarantine and investigate it all and report themselves to ICO. They really should quarantine all mismatched data and take it off the general database pending investigation and then get to work categorising/grouping the severity of mismatches. They could submit progress reports to ICO and start deciding which banks and other organisations provided most incorrect data and submit the error reports to ICO.
A computer system is only as good as its data input filters, its error handling and communication of errors at several levels, and the reliability of its data processing routines.
GIGO !!
I learned that word in the 1960s when I earned my first diploma in computing. I am not yet even 60 years old. How have we forgotten so easily? If you don't know what it means, look it up, then post.
0 -
Wow you got your first diploma at 17 (max) when the only computing being taught was at A level, college or Uni.I learned that word in the 1960s when I earned my first diploma in computing. I am not yet even 60 years old0 -
I was actually much younger. I was working on a DEC PDP10 which I think is still operating and even connected to the internet. Our connection to it was via a unique remote teleprinter circuit in the room next door to where I watched Neil Armstrong set foot on the moon on tv. We programmed in XBASIC and FORTRAN IV.Wow you got your first diploma at 17 (max) when the only computing being taught was at A level, college or Uni.
Careful how you use your ridicule buttons, !!!!!!. Better if you use them more considerately as the keyboard they are intended to be.0 -
My degrees in Data Processing with a working knowledge of both the 1984 and 1998 Data Protection Act. Working with mainframes from the 80s, doing data tasks that require a level of knowledge of systems that can confuse me at times.
I still say you are going about this the wrong way.0 -
Very pleased to hear it, dannny. So then, now you've taken your finger off the ridicule button also, what would you suggest given the evidence?My degrees in Data Processing with a working knowledge of both the 1984 and 1998 Data Protection Act. Working with mainframes from the 80s, doing data tasks that require a level of knowledge of systems that can confuse me at times.
I still say you are going about this the wrong way.
PS I wasn't actually suggesting that Experian Company representative should give me access to the world's data, merely suggesting that if I had access like if you did, we could whack out a dob mismatch report in no time, so why hadn't Experian already done it?0 -
Must have been a good school to have its own PDP considering it was state of the art in the late 60s. I had to make do with time on the IBM mainframe at the local steelworks for 2 afternoons a weekVictimOfImpersonation wrote: »I was actually much younger. I was working on a DEC PDP10 which I think is still operating and even connected to the internet. Our connection to it was via a unique remote teleprinter circuit in the room next door to where I watched Neil Armstrong set foot on the moon on tv. We programmed in XBASIC and FORTRAN IV.
Careful how you use your ridicule buttons, !!!!!!. Better if you use them more considerately as the keyboard they are intended to be.0 -
It was a very good school but it did not have its own - it had a teleprinter connected to the PDP 10 miles away and we had some kind of timeshare on it. It is very much worth saying that it was a state school and there were quite a few state schools that were on a par - we played rugby and cricket against them without having to travel too far.Must have been a good school to have its own PDP considering it was state of the art in the late 60s. I had to make do with time on the IBM mainframe at the local steelworks for 2 afternoons a week
I remember I was so into computing and so young and ignorant that I once peed myself sat at the teleprinter because
(a) my timeslot was running out and
(b) I didn't know then how to self-diagnose a chronic urinary infection that caught me out !
That last one sounds a bit like the situation CRAs are in now, doesn't it?0
This discussion has been closed.
Categories
- All Categories
- 343.1K Banking & Borrowing
- 250.1K Reduce Debt & Boost Income
- 449.7K Spending & Discounts
- 235.2K Work, Benefits & Business
- 607.9K Mortgages, Homes & Bills
- 173K Life & Family
- 247.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards