Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    VictimOfImpersonation
    Experian's Fundamental Breach of Data Protection Act 1998
    • #1
    • 29th Dec 13, 2:57 PM
    Experian's Fundamental Breach of Data Protection Act 1998 29th Dec 13 at 2:57 PM
    In another thread, which discusses an MSE news story about worrying revelations on security of personal data at Compare The Market (an organisation which itself will have close links to CRAs by virtue of it collecting personal data and constantly causing ID and credit checks on our files), I have got into a surprising ding dong with Experian Company Representative. According to the signature, he is Head Of Consumer Affairs at Experian (UK I assume and not worldwide - they are a giant worldwide CRA).

    He does post at weekends when it suits him, but he has gone strangely quiet since I told him Experian were breaking the law.

    I have discovered that Experian tolerate false data on our records to the extent that if you have a good credit history, it seems a fraudster can use an incorrect date of birth to secure credit in your name with the barest name and address details, and Experian will accept that data and simply mark your file with a negative mark because a new credit agreement is registered in your name.

    They will not alert you to false date of birth data and it seems they will not alert the bank who gave them the data either because the bank will just carry on like normal same as the CRA until someone says "Hey, what are you playing at?"

    Furthermore, when I point out that there is an obvious date of birth mismatch, Experian Company Representative says date of birth is not the only identifying data they use . What planet is he on ? Those of us that understand relational databases have to wonder whether he has any skill in the realm of data science at all ?

    My Experian CRA record has tens of entries recorded over decades all with the correct date of birth, yet now it has one two month old one with a totally incorrect date of birth - the fraudulent credit agreement.

    I am an established case with very consistent personal data. If it can happen to my data record at Experian, it can happen to thousands.

    And the official Experian spokesperson on MSE (yes they have one surprise surprise) says date of birth is not the only identifying factor . He invites me to send an email to them to show them what's wrong with my records. I have declined because what I have discovered is so glaringly incorrect that it should never have made it past an input filter into the database.

    I have warned him that until they conduct a data clean up on their whole database and discover these dates of birth mismatches (which is an extremely easy task) Experian is breaking the law. Whether he is heeding my advice or not we don't know, because he has gone quiet for a day.

    I think as a responsible officer of Experian refusing to deal with the fundamental nature of the breach and treating it as if it is just a possible glitch on my file only which I need to tell him about, he may himself also be personally breaking the law.

    Sad to say but unless they get their finger out, Experian and their representative appear to have acted recklessly and continue to do so in their obtention and holding of personal data in our names and not heeding warnings to go look for mismatches and manage them correctly.

    I just cannot for the life of me understand how they can so nonchalantly obtain and hold any data against anyone's name when the date of birth they have obtained is wrong. It is not their business to simply be a repository of all transacted data that might be in our names, safeguarding it for ever in case there has been a typo by the people that gave it to them, and the rest of it may be ok. It is their business to reject incorrect data, especially when a fundamental input filter like date of birth shows the data cannot stand.

    All such fundamental mismatches should be quarantined and then verified/rectified with the source trying to input it or it must be destroyed. Whether that quarantine should be even be at the CRA or at the source is another very big question.

    Date of Birth is so fundamental to personal data processing.

    In my case this false data has stood for two months in their database.

    However many more cases are there like this ?

    I have told Experian I can tell them exactly if they let me query their database.

    If I can bloody well tell them how to do it with a standard database query that a 12 year old could do, then why are they doing nothing to clean up their act?

    I have another example of where Experian's personal data protection may be flawed, and that relates to gaining access to full online credit reports. I know that CRAs themselves are constantly under attack to release our data to fraudsters who would use it as an aide memoire to launch attacks. I have discovered that with surprisingly little security data being verified, in certain somewhat surprising circumstances Experian can be persuaded by phone to delete previous accounts or previous failed registrations where documentary evidence was demanded but never provided. If it was demanded previously then how is it suddenly not necessary on the strength of a phone call a year or two later? The inconsistency is worrying.

    I also have a fear that they might then allow a brand new squeaky clean registration with only 3 out of four registration security questions correct. The security questions are tough enough (if you dont already have a copy of a previous CRA report to crib from) but surely they must ALL be answered correctly to get access to a spanking new report?
    In my case a version of my credit report is already in the hands of fraudsters courtesy of another CRA with a security hole at the time, CallCredit now known more by its trading name Noddle.


    Running CRAs like this is not the way to protect us - this way we are all made more vulnerable.

    What on earth is happening? We are also very clearly being badly let down big time by the Information Commissioners Office. Do we have an Official ICO Representative on MSE?
    Last edited by VictimOfImpersonation; 29-12-2013 at 3:09 PM.
Page 1
    • whitegoods_engineer
    • By whitegoods_engineer 29th Dec 13, 4:27 PM
    • 605 Posts
    • 808 Thanks
    whitegoods_engineer
    • #2
    • 29th Dec 13, 4:27 PM
    • #2
    • 29th Dec 13, 4:27 PM
    ....And breathe!
  • dannny
    • #3
    • 29th Dec 13, 4:33 PM
    • #3
    • 29th Dec 13, 4:33 PM
    He invites me to send an email to them to show them what's wrong with my records. I have declined because what I have discovered is so glaringly incorrect that it should never have made it past an input filter into the database.
    Originally posted by VictimOfImpersonation
    So you beleive there is an error on your record but refuse to state what that error is.

    I have warned him that until they conduct a data clean up on their whole database and discover these dates of birth mismatches (which is an extremely easy task) Experian is breaking the law.
    Originally posted by VictimOfImpersonation
    Its not your job to warn him. Theres a nice person who works for the ICO who has that job. Your job is to tell the company what is incorrect, the company then rectifies it or you moan to the ICO.

    Experian and their representative appear to have acted recklessly and continue to do so in their obtention and holding of personal data in our names and not heeding warnings to go look for mismatches and manage them correctly.
    Originally posted by VictimOfImpersonation
    What warning. You refuse to communicate with the company involved. And I'll quote you

    He invites me to send an email to them to show them what's wrong with my records. I have declined
    Originally posted by VictimOfImpersonation
    I have told Experian I can tell them exactly if they let me query their database.
    Originally posted by VictimOfImpersonation
    So now you want unhindered access to the companys database rather that tell the company what is wrong.

    We are also very clearly being badly let down big time by the Information Commissioners Office
    Originally posted by VictimOfImpersonation
    So have you raised this particular issue with the ICO yet, or are you just spouting?
    • Buzby
    • By Buzby 29th Dec 13, 4:47 PM
    • 8,201 Posts
    • 3,011 Thanks
    Buzby
    • #4
    • 29th Dec 13, 4:47 PM
    • #4
    • 29th Dec 13, 4:47 PM
    Afraid to say that came over as a rant. My DoB is my business, I've never given out my correct DoB to any vendor and it has never prevented me from getting credit.

    The beauty of this is that the only folk who really know it (apart from family members, NHS and the DVLA) the rest can go swivel as it is an irrelevance. It is they key to my personal ID and I don't leave my keys exposed to anyone, and that includes CRA's.

    Rather than seek correction and validation, enjoy the fact they haven't a clue.

    I certainly do.
  • VictimOfImpersonation
    • #5
    • 29th Dec 13, 5:08 PM
    • #5
    • 29th Dec 13, 5:08 PM
    What am I spouting dannny? Fire and brimstone? Pure vitriol ? Maybe so.

    But I am not just spouting, am I?

    Buzby I found your declaration the other day of how you mess with the system quite amusing, but you are pretty unique in managing your affairs that way so you surely aren't suggesting that the public generally should sit back and let it all flow over them?

    Experian invite me to "shore up" my (crumbling?) identity by making it easy for them to deal with it and then forget it via their usual procedures.

    I say no.

    They know the breach - I have made it clear. They have noted a new credit agreement against my file with an incorrect date of birth.

    I have absolutely no doubt whatsoever that if Experian wished to sort my file out or even sort me out they would know exactly who I was without me making a single further post.

    I am not posting for myself. I have the ability to protect my own identity because I am lucky enough to have acquired the skills to get over any stupid problems.

    Most people do not have those skills. They get told to follow procedures. They have no idea how these things happen, they just want to be told their data is fixed and safe again.

    Well, sorry, their data is not safe. I have multiple examples to prove it. One might be unfortunate. Several is worrying in the extreme. Fraudsters are crawling all over CRAs to find a way in and they are in and CRAs are in denial that they let them in.

    It seems they wont even do a whole database dob mismatch query to even start to investigate.

    Here's the test that you will read about here:

    I shall give no more information to Experian on who I am or how to fix this, but I expect it to be fixed very shortly. I will log in daily and report whether the erroneous record has been deleted and report back here.

    The way I see it they have three ways to meet the test:
    1. They could use the spook methods at their disposal to identify me and then just fix my record alone.
    2. They could do the date of birth mismatch query, and then quickly shake out obvious ones like mine on the basis of the mismatch only occurring recently and sticking out like a sore thumb and fix that subset of corrupt data only.
    3. They could do a proper job and quarantine and investigate it all and report themselves to ICO. They really should quarantine all mismatched data and take it off the general database pending investigation and then get to work categorising/grouping the severity of mismatches. They could submit progress reports to ICO and start deciding which banks and other organisations provided most incorrect data and submit the error reports to ICO.
    The last one reminds me of when I started in Financial Services. "Error Reports" were a large part of daily life. The unenlightened amongst you think that was some kind of archaic system and good riddance because now we have computers. You are so blind.

    A computer system is only as good as its data input filters, its error handling and communication of errors at several levels, and the reliability of its data processing routines.

    GIGO !!
    I learned that word in the 1960s when I earned my first diploma in computing. I am not yet even 60 years old. How have we forgotten so easily? If you don't know what it means, look it up, then post.
    Last edited by VictimOfImpersonation; 29-12-2013 at 5:15 PM.
  • archived user
    • #6
    • 29th Dec 13, 5:24 PM
    • #6
    • 29th Dec 13, 5:24 PM
    I learned that word in the 1960s when I earned my first diploma in computing. I am not yet even 60 years old
    Wow you got your first diploma at 17 (max) when the only computing being taught was at A level, college or Uni.
  • VictimOfImpersonation
    • #7
    • 29th Dec 13, 5:31 PM
    • #7
    • 29th Dec 13, 5:31 PM
    Wow you got your first diploma at 17 (max) when the only computing being taught was at A level, college or Uni.
    Originally posted by !!!!!!!
    I was actually much younger. I was working on a DEC PDP10 which I think is still operating and even connected to the internet. Our connection to it was via a unique remote teleprinter circuit in the room next door to where I watched Neil Armstrong set foot on the moon on tv. We programmed in XBASIC and FORTRAN IV.

    Careful how you use your ridicule buttons, !!!!!!!. Better if you use them more considerately as the keyboard they are intended to be.
    Last edited by VictimOfImpersonation; 29-12-2013 at 5:43 PM.
  • dannny
    • #8
    • 29th Dec 13, 5:43 PM
    • #8
    • 29th Dec 13, 5:43 PM
    My degrees in Data Processing with a working knowledge of both the 1984 and 1998 Data Protection Act. Working with mainframes from the 80s, doing data tasks that require a level of knowledge of systems that can confuse me at times.

    I still say you are going about this the wrong way.
  • VictimOfImpersonation
    • #9
    • 29th Dec 13, 5:56 PM
    • #9
    • 29th Dec 13, 5:56 PM
    My degrees in Data Processing with a working knowledge of both the 1984 and 1998 Data Protection Act. Working with mainframes from the 80s, doing data tasks that require a level of knowledge of systems that can confuse me at times.

    I still say you are going about this the wrong way.
    Originally posted by dannny
    Very pleased to hear it, dannny. So then, now you've taken your finger off the ridicule button also, what would you suggest given the evidence?

    PS I wasn't actually suggesting that Experian Company representative should give me access to the world's data, merely suggesting that if I had access like if you did, we could whack out a dob mismatch report in no time, so why hadn't Experian already done it?
    Last edited by VictimOfImpersonation; 29-12-2013 at 5:59 PM.
  • archived user
    I was actually much younger. I was working on a DEC PDP10 which I think is still operating and even connected to the internet. Our connection to it was via a unique remote teleprinter circuit in the room next door to where I watched Neil Armstrong set foot on the moon on tv. We programmed in XBASIC and FORTRAN IV.

    Careful how you use your ridicule buttons, !!!!!!!. Better if you use them more considerately as the keyboard they are intended to be.
    Originally posted by VictimOfImpersonation
    Must have been a good school to have its own PDP considering it was state of the art in the late 60s. I had to make do with time on the IBM mainframe at the local steelworks for 2 afternoons a week
  • VictimOfImpersonation
    Must have been a good school to have its own PDP considering it was state of the art in the late 60s. I had to make do with time on the IBM mainframe at the local steelworks for 2 afternoons a week
    Originally posted by !!!!!!!
    It was a very good school but it did not have its own - it had a teleprinter connected to the PDP 10 miles away and we had some kind of timeshare on it. It is very much worth saying that it was a state school and there were quite a few state schools that were on a par - we played rugby and cricket against them without having to travel too far.

    I remember I was so into computing and so young and ignorant that I once peed myself sat at the teleprinter because
    (a) my timeslot was running out and
    (b) I didn't know then how to self-diagnose a chronic urinary infection that caught me out !

    That last one sounds a bit like the situation CRAs are in now, doesn't it?
    Last edited by VictimOfImpersonation; 29-12-2013 at 6:37 PM.
    • Tiddlywinks
    • By Tiddlywinks 29th Dec 13, 7:07 PM
    • 5,351 Posts
    • 18,507 Thanks
    Tiddlywinks
    OP - You're coming across as completely narcissistic.

    Report the anomaly to the CRA and ask them to correct the error as they are breaching the DPA.

    If they do not comply, go to the ICO.

    Ranting and entering into a p1551ng competition other members over who is most knowledgeable about systems from the '60s is just a waste of energy and makes you look a bit of a peacock out to just strut your stuff.
  • VictimOfImpersonation
    OP - You're coming across as completely narcissistic.
    Originally posted by Tiddlywinks
    Suggest you don't use words where you've only a whiff of understanding of the meaning. I wasn't sure so I looked it up. You were wrong to use it.

    Report the anomaly to the CRA and ask them to correct the error as they are breaching the DPA.
    I have. They can find it easily alongside the thousands of other breaches just by doing a simple mismatch query. You surely cannot be so naive to believe this is a "one off"?
    If they do not comply, go to the ICO.
    Not right now. Let ICO wake up and read about it here. Another test if you like.

    Ranting and entering into a p1551ng competition other members over who is most knowledgeable about systems from the '60s is just a waste of energy and makes you look a bit of a peacock out to just strut your stuff.
    Ranting got your attention if that's what you want to call it, and even got you clicking through and leaving your mark on the thread I referred to, plus it's landed a view a minute since I posted I think? The p|ssing was in my pants when I was barely a teenager. You read about it here from me. Hardly narcissistic of me to mention it I think?

    My addition of a little validatory computing jargon soon brought danny and !!!!!!! off their high horses and now they might engage, and so might others from the mob who otherwise are tempted to leap in and start banding about those stupid words "rant" and "troll" when someone introduces huge public interest issues that challenge their comfortable ideas of an ok status quo.
    Last edited by VictimOfImpersonation; 29-12-2013 at 7:45 PM.
    • patanne
    • By patanne 29th Dec 13, 7:45 PM
    • 1,270 Posts
    • 2,553 Thanks
    patanne
    Whilst I do understand where you are coming from with this, I believe that you are under a misconception. The data protection act is not there to protect our data, it is there to protect them from us claiming that the data they hold is incorrect. That way when they make mistakes they do not need to correct them until we have gone kicking and screaming to some regulatory authority. Was aforementioned computer in Dover st?
    • meer53
    • By meer53 29th Dec 13, 7:45 PM
    • 9,604 Posts
    • 14,043 Thanks
    meer53
    Here we go again. Yawn.
    • Tiddlywinks
    • By Tiddlywinks 29th Dec 13, 7:53 PM
    • 5,351 Posts
    • 18,507 Thanks
    Tiddlywinks
    Suggest you don't use words where you've only a whiff of understanding of the meaning. I wasn't sure so I looked it up. You were wrong to use it.
    Originally posted by VictimOfImpersonation
    http://en.wikipedia.org/wiki/Narcissism

    No, I think I got that right... you are very obviously full of your own importance and believe that everyone should do your bidding.

    They can find it easily alongside the thousands of other breaches just by doing a simple mismatch query. You surely cannot be so naive to believe this is a "one off"?
    Not right now. Let ICO wake up and read about it here. Another test if you like.
    Originally posted by VictimOfImpersonation
    Oh for goodness sake... unfortunately, when processing large quantities of data there will always be inaccuracies. Just use the systems in place to address this.

    The ICO and his department will NOT be trawling MSE everyday on the off chance that you are here having a moan.

    Again, you clearly believe you are cleverer than everyone else.

    Ranting got your attention if that's what you want to call it, plus a view a minute since I posted I think? The p|ssing was in my pants when I was barely a teenager. You read about it here from me. Hardly narcissistic of me to mention it I think?
    Originally posted by VictimOfImpersonation
    No, the fact that you are looking at the 'views per minute' just shows how self centred you are. I bet your chest is puffed out now full of pride.

    My addition of a little validatory computing jargon soon brought danny and !!!!!!! off their high horses and now they might engage, and so might others from the mob who otherwise are tempted to leap in and start banding about those stupid words "rant" and "troll" when someone introduces huge public interest issues that challenge their comfortable ideas of an ok status quo.
    Originally posted by VictimOfImpersonation
    There you go again... presenting yourself as a champion of the masses... and master of the forum.

    My hero!
    • meer53
    • By meer53 29th Dec 13, 7:54 PM
    • 9,604 Posts
    • 14,043 Thanks
    meer53
    Huge public interest issues ? Where ?
    • Tiddlywinks
    • By Tiddlywinks 29th Dec 13, 7:59 PM
    • 5,351 Posts
    • 18,507 Thanks
    Tiddlywinks
    Here's how to complain:

    http://www.ico.org.uk/complaints/handling

    The 8 'Data Principles':

    http://www.ico.org.uk/for_organisations/data_protection/the_guide/the_principles
  • VictimOfImpersonation
    Huge public interest issues ? Where ?
    Originally posted by meer53
    MSE attracts all types doesn't it? I am sure there are words to describe them all. Some of them flock to these type of threads like white blood cells to the site of a wound and then scab themselves all over it! The body inevitably is corporate. Not sure what it makes them ... but if they find they get picked off and flicked away later then I guess that's their look out.

    Let's see how long it takes for my personal data to shore itself up. Anyone want to offer a book on it?
    Last edited by VictimOfImpersonation; 29-12-2013 at 8:08 PM.
    • Tiddlywinks
    • By Tiddlywinks 29th Dec 13, 8:04 PM
    • 5,351 Posts
    • 18,507 Thanks
    Tiddlywinks
    MSE attracts all types doesn't it? I am sure there are words to describe them all. Let's see how long it takes for my personal data to shore itself up. Anyone want to offer a book on it?
    Originally posted by VictimOfImpersonation
    No-one else really cares - but the narcissist in you just doesn't understand that.

    Your personal data - your problem.

    You have noted an anomaly, you are refusing to use the processes available to address this - so... suck it up.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

302Posts Today

4,295Users online

Martin's Twitter