Experian's Fundamental Breach of Data Protection Act 1998

1356711

Comments

  • Tiddlywinks
    Tiddlywinks Posts: 5,777
    I've been Money Tipped!
    Forumite
    edited 29 December 2013 at 9:45PM
    Do you really think this thread will be left for all to trawl and stumble upon via Google without being resolved?

    Eh, yes I do.

    Why? Because you are not as important in the grand scheme of things as you think you are.... I refer again to this.

    Just use the processes available - fill in the form indicated by the company rep and then go to the ICO if unresolved.
    :hello:
  • VictimOfImpersonation
    VictimOfImpersonation Posts: 334 Forumite
    edited 29 December 2013 at 10:15PM
    I mentioned the fantastic quality of a large chunk of 60s and 70s state schooling earlier.

    I blame the schooling that beset the 80s and 90s. That was where it became the norm that to be a "swot" was to be hounded and ridiculed for being different, and an ability to blend in with the lowest common denominator and to follow the lead of celebs, monied sorts and wannabes was key to survival.

    Such a shame that made its inevitable way into the thinking of a whole generation.

    Loadsamoney!!:(
  • goonarmy
    goonarmy Posts: 1,006 Forumite
    I mentioned the fantastic quality of a large chunk of 60s and 70s state schooling earlier.

    I blame the schooling that beset the 80s and 90s. That was where it became the norm that to be a "swot" was to be hounded and ridiculed for being different, and an ability to blend in with the lowest common denominator and to follow the lead of celebs, monied sorts and wannabes was key to survival.

    Such a shame that made its inevitable way into the thinking of a whole generation.

    Loadsamoney!!:(

    What are you on....about?
  • VictimOfImpersonation
    VictimOfImpersonation Posts: 334 Forumite
    edited 30 December 2013 at 12:33AM
    Well glad that I haven't wound you up too far then, goonarmy!

    You sound a practical sort of bloke. I am too.

    Do you think it is right that someone can guess you are good for a new credit card account from where you live, dip your postbox for a partial name and an address, go online to one of the banks which by chance has done business with you for years, enter a completely fictitious application apart from the partial name and address, and then the bank checks it or registers that data including the wrong date of birth with a CRA and issues a new card. The CRA has loads of data on you already and does not query the wrong date of birth but just adds the new account to the list of all your credit accounts and just marks down your credit score a fraction because you just opened a new account. Then the fraudster intercepts the card and PIN, ges online again and registers for online banking with a completely different email address and mobile phone to the ones you have registered with the bank, and still no-one notices anything wrong until the card is maxed out? Then what? The bank adds a £12 over credit limit charge and sends you a letter to tell you just that. You have never been overlimit in your life. But they send out that letter and just relax. Nothing else.

    Meantime the CRAs now have two months records on the account, they can see now it is overlimit, but both entries show green and ok.


    As a practical bloke, do you think that it is likely that I am the only one affected by such an experience?

    And as a practical bloke, do you not think there must be a horrendous failure in the system for it to happen? Or are you a diagnostics machine every time sort who just whacks in a replacement unit for what the machine tells you and drives away again without a bother about why?
  • goonarmy
    goonarmy Posts: 1,006 Forumite
    Well glad that I haven't wound you up too far then, goonarmy!

    You sound a practical sort of bloke. I am too.

    Do you think it is right that someone can guess you are good for a new credit card account from where you live, dip your postbox for a partial name and an address, go online to one of the banks which by chance has done business with you for years, enter a completely fictitious application apart from the partial name and address, and then the bank checks it or registers that data including the wrong date of birth with a CRA and issues a new card. The CRA has loads of data on you already and does not query the wrong date of birth but just adds the new account to the list of all your credit accounts and just marks down your credit score a fraction because you just opened a new account. Then the fraudster intercepts the card and PIN, ges online again and registers for online banking with a completely different email address and mobile phone to the ones you have registered with the bank, and still no-one notices anything wrong until the card is maxed out? Then what? The bank adds a £12 over credit limit charge and sends you a letter to tell you just that. You have never been overlimit in your life. But they send out that letter and just relax. Nothing else.

    Meantime the CRAs now have two months records on the account, they can see now it is overlimit, but both entries show green and ok.


    As a practical bloke, do you think that it is likely that I am the only one affected by such an experience?

    And as a practical bloke, do you not think there must be a horrendous failure in the system for it to happen? Or are you a diagnostics machine every time sort who just whacks in a replacement unit for what the machine tells you and drives away again without a bother about why?
    You havent wound me up in the slightest, but i got bored reading your third sentance. Your typings worse than mine and I dont even try! Anyway, no ones looking on the net to sort your problems.

    And some advice: dont assume the sex of posters on a forum.
  • VictimOfImpersonation
    VictimOfImpersonation Posts: 334 Forumite
    edited 30 December 2013 at 1:03AM
    goonarmy wrote: »
    You havent wound me up in the slightest, but i got bored reading your third sentance.
    Oh - limited attention span?
    Your typings worse than mine and I dont even try!
    I think you mean my sentence was too long and your patience was by then thin. OK, if you aren't interested you can take a horse to water, but not make it drink and all that!
    Anyway, no ones looking on the net to sort your problems.
    Oh dear back to put-downs again ... sigh
    And some advice: dont assume the sex of posters on a forum.
    Oh well, bloke, bloke-ette - Sorr-eee! I must admit I don't know many women who use !!!!!!. Can't say I didn't try to adjust my style a bit though, to see if you might engage.


    So, as I was saying, I don't think the 80s and 90s were a good period for developing the kind of enquiring minds that question bad practice - they are more likely to turn on or question anyone amongst them who is a bit different and dares to draw attention to himself above the parapet and try to knock their block off.

    However, some of us baby boomers do question bad practice, sometimes with terrier-like tenacity, especially those of us who didn't use our great state educations just to get filthy rich and pull up the drawbridges behind us.

    So here I am today, and tomorrow and the day after tomorrow, until the CRAs get it fixed.
  • dannny_2
    dannny_2 Posts: 169 Forumite
    edited 30 December 2013 at 11:41AM
    what would you suggest

    I suggest you contact the company, give them full details and ask them to resolve the matter. If they fail to do so make a complaint to the ICO.

    ICO will humm and ahhh for a few months, do !!!!!! all, and life continues.



    As a side note, life was a hell of a lot easier when computers consisted of nice large mainframes and you required a degree in mathematics to programme them.

    The proliferation of data gathering by governments and organisations just for the sake of it is a worrying trend.

    In one recent development ovivo mobile now require an actual copy of one of the following

    • Deed Poll
    • Marriage Certificate
    • Civil Partnership Registration Document
    • Statutory Declaration
    • Divorce Papers
    • Dissolved Civil Partnership Papers
    • Copy of Entry in Register of Corrections (Scotland only)
    • Amended Birth or Adoption Certificate
    if you want to change your name on your account. Theres absolutely no need for it.
  • dannny wrote: »
    <snip> Theres absolutely no need for it.
    Indeed. Even the mighty HMRC were happy with a short letter when I changed my name.
    Are you for real? - Glass Half Empty??
    :coffee:
  • dannny wrote: »
    I suggest you contact the company, give them full details and ask them to resolve the matter.
    I thought I already did?

    Full details are as follows:

    Experian recklessly accepts incorrect new date of birth data from bank partners on to customer CRA records, doesn't query it, and thus far hasn't cleaned up its database which I am quite logically imagining is full of such instances.

    Consequently it means their entire database is open to attacks by serious organised crime. I will tell you how:

    The fraudsters successfully open a new credit card account online in anyone's name at that person's known vulnerable address (there are millions of vulnerable postboxes in blocks of flats particularly) but using any old date of birth they fancy. That's the first vulnerability because the bank misses the error and the CRA does not alert the bank of the error either.

    The card arrives and they intercept it because the named person is not expecting a new card or PIN.

    The fraudsters then go online again and visit a CRA site to obtain an account verifying the first line of security using the card. That is the second vulnerability and we all know it is the third that gets you!

    Then if they have sufficient other data e.g. other intercepted post like a mortgage statement and bank statement they may be able to answer maybe 3 out of 4 further security questions correctly and get access to a full credit report in your name. That is a just a question of brute force attack armed with personal data from several sources (as long as 5 years ago bank workers were routinely warned that they might be accosted on their way home or in the pub by criminals willing to offer £1,000 each for limited bits of customer stationery or passwords / dob / mothers maiden name etc.). A proportion of brute force attacks to CRA websites will therefore succeed. Armed with a full CRA report, crimianls are laughing. They can then do enormous damage in a short space of time (thousands of pounds in the space of a week is not uncommon for each mark).

    This is why I have raised other issues besides the date of birth fiasco. How is it that Experian demanded documentary evidence of ID on a previous registration attempt but after a given period on the strength of an out of the blue phone call (I can't seem to open an account online - it said to call you) were willing to wipe the previous incomplete registration (where no documentary evidence was ever provided)? How then was I permitted to register again afresh with no documentary evidence ? I think Experian were using data that I had previously input in a failed attempt to register in order to identify me this time for certain. They asked me the memorable word I had input last time. Then they deleted all record of previous attempts and invited me to try again. I did so, and this time I registered with no additional documentary evidence. That is worrying and I have a feeling it may because there was a CIFAS marker last time I tried, but it has dropped off, but I am guessing.

    For serious organised crime, it is just a numbers game. Don't imagine the crime bosses delete their failed attempts from their own databases. They retain the personal data they are able to secure on their targets. They may give up on one tact, but then re-use the data for another type of attack a month later or even many months later.

    No-one seems to want to be aware of this. It is perhaps too much scare-mongering for the public's appetite.

    I am aware of it because it has happened to me and happened to others who live near me.

    My full credit report was obtained online by criminals through CallCredit. There was an immediate large scale attack when they obtained it but I managed to closedown the thing sufficiently that they quickly lost interest (for a period). The criminals obtained many thousands of pounds inside a week of getting my credit report then gave up trying for more for a bit.

    A month later they used my address for two account takeovers, maybe more. At least I found two credit card statements before the fraudsters intercepted them and I reported them. That was the first that those other victims knew that their accounts had been taken over and by my quick action in contacting their banks their ID was "shored up" as Experian Company Representative likes to put it.

    My name and address were then on CIFAS for a year and that probably diverted fraudsters attention to easier pickings for a time, but they didn't forget.

    The time came for them to try again. The CIFAS marker had dropped off, certain banks clearly don't check dates of birth or bank account details submitted on credit card apps, and CRAs don't question the inconsistent garbage before they add it to the file.


    Can you not see that all this, coupled with general knowledge hereabouts that ID fraud became so rife that IDTheft insurance came and went as its own separate scandal, is a clear pointer that Experian's offer to treat my dob mismatch in splendid isolation is a sick joke?
    If they fail to do so make a complaint to the ICO.

    ICO will humm and ahhh for a few months, do !!!!!! all, and life continues.
    If Experian do fail to cause my file to be fixed without further prompting by me, I shall certainly make it known to ICO what I think and to FCA too.

    Meantime, as I said, we are testing them here, and if when I check the database later on it isn't fixed I shall again say so here.

    There is absolutely no reason why an incorrect date of birth should be accepted into their main database whether comedians like Buzby give banks the wrong dob or not. For dob not to be used as a "hard identifier" is to make the whole database unreliable.

    The jury is out on whether CRAs are the right people to investigate corrupt data presented to them rather than simply to reject it back to the source, but I say NO they clearly are not the right people as we can see they haven't even the gumption to clean their own data retrospectively. There seems to be no commercial gain for them to do so.

    Perhaps we should show them there will be a bigger commercial loss if they do not.
  • patanne
    patanne Posts: 1,286 Forumite
    Actually it is not in their financial interests to get this information right. If they could be depended on to get it right then who would pay them to get a credit report? Far fewer people than do currently I'm sure.
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 342.5K Banking & Borrowing
  • 249.9K Reduce Debt & Boost Income
  • 449.4K Spending & Discounts
  • 234.6K Work, Benefits & Business
  • 607.1K Mortgages, Homes & Bills
  • 172.8K Life & Family
  • 247.4K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.8K Discuss & Feedback
  • 15.1K Coronavirus Support Boards