In another thread
, which discusses an MSE news story about worrying revelations on security of personal data at Compare The Market (an organisation which itself will have close links to CRAs by virtue of it collecting personal data and constantly causing ID and credit checks on our files), I have got into a surprising ding dong with Experian Company Representative
. According to the signature, he is Head Of Consumer Affairs at Experian (UK I assume and not worldwide - they are a giant worldwide CRA).
He does post at weekends when it suits him, but he has gone strangely quiet since I told him Experian were breaking the law.
I have discovered that Experian tolerate false data on our records to the extent that if you have a good credit history, it seems a fraudster can use an incorrect date of birth to secure credit in your name with the barest name and address details, and Experian will accept that data and simply mark your file with a negative mark because a new credit agreement is registered in your name.
They will not alert you to false date of birth data and it seems they will not alert the bank who gave them the data either because the bank will just carry on like normal same as the CRA until someone says "Hey, what are you playing at?"
Furthermore, when I point out that there is an obvious date of birth mismatch, Experian Company Representative says date of birth is not the only identifying data they use :mad: . What planet is he on ? Those of us that understand relational databases have to wonder whether he has any skill in the realm of data science at all ?
My Experian CRA record has tens of entries recorded over decades all with the correct date of birth, yet now it has one two month old one with a totally incorrect date of birth - the fraudulent credit agreement.
I am an established case with very consistent personal data. If it can happen to my data record at Experian, it can happen to thousands.
And the official Experian spokesperson on MSE (yes they have one surprise surprise) says date of birth is not the only identifying factor
. He invites me to send an email to them to show them what's wrong with my records. I have declined because what I have discovered is so glaringly incorrect that it should never have made it past an input filter into the database.
I have warned him that until they conduct a data clean up on their whole database and discover these dates of birth mismatches (which is an extremely easy task) Experian is breaking the law. Whether he is heeding my advice or not we don't know, because he has gone quiet for a day.
I think as a responsible officer of Experian refusing to deal with the fundamental nature of the breach and treating it as if it is just a possible glitch on my file only which I need to tell him about, he may himself also be personally breaking the law.
Sad to say but unless they get their finger out, Experian and their representative appear to have acted recklessly and continue to do so in their obtention and holding of personal data in our names and not heeding warnings to go look for mismatches and manage them correctly.
I just cannot for the life of me understand how they can so nonchalantly obtain and hold any data against anyone's name when the date of birth they have obtained is wrong. It is not their business to simply be a repository of all transacted data that might be
in our names, safeguarding it for ever in case there has been a typo by the people that gave it to them, and the rest of it may be ok. It is
their business to reject incorrect data, especially when a fundamental input filter like date of birth shows the data cannot stand.
All such fundamental mismatches should be quarantined and then verified/rectified with the source trying to input it or it must be destroyed. Whether that quarantine should be even be at the CRA or at the source is another very big question.
Date of Birth is so fundamental to personal data processing.
In my case this false data has stood for two months in their database.
However many more cases are there like this ?
I have told Experian I can tell them exactly if they let me query their database.
If I can bloody well tell them how to do it with a standard database query that a 12 year old could do, then why are they doing nothing to clean up their act?
I have another example of where Experian's personal data protection may be flawed, and that relates to gaining access to full online credit reports. I know that CRAs themselves are constantly under attack to release our data to fraudsters who would use it as an aide memoire to launch attacks. I have discovered that with surprisingly little security data being verified, in certain somewhat surprising circumstances Experian can be persuaded by phone to delete previous accounts or previous failed registrations where documentary evidence was demanded but never provided. If it was demanded previously then how is it suddenly not necessary on the strength of a phone call a year or two later? The inconsistency is worrying.
I also have a fear that they might then allow a brand new squeaky clean registration with only 3 out of four registration security questions correct. The security questions are tough enough (if you dont already have a copy of a previous CRA report to crib from) but surely they must ALL be answered correctly to get access to a spanking new report?
In my case a version of my credit report is already in the hands of fraudsters courtesy of another CRA with a security hole at the time, CallCredit now known more by its trading name Noddle.
Running CRAs like this is not the way to protect us - this way we are all made more vulnerable.
What on earth is happening? We are also very clearly being badly let down big time by the Information Commissioners Office. Do we have an Official ICO Representative on MSE?