Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    VictimOfImpersonation
    Experian's Fundamental Breach of Data Protection Act 1998
    • #1
    • 29th Dec 13, 2:57 PM
    Experian's Fundamental Breach of Data Protection Act 1998 29th Dec 13 at 2:57 PM
    In another thread, which discusses an MSE news story about worrying revelations on security of personal data at Compare The Market (an organisation which itself will have close links to CRAs by virtue of it collecting personal data and constantly causing ID and credit checks on our files), I have got into a surprising ding dong with Experian Company Representative. According to the signature, he is Head Of Consumer Affairs at Experian (UK I assume and not worldwide - they are a giant worldwide CRA).

    He does post at weekends when it suits him, but he has gone strangely quiet since I told him Experian were breaking the law.

    I have discovered that Experian tolerate false data on our records to the extent that if you have a good credit history, it seems a fraudster can use an incorrect date of birth to secure credit in your name with the barest name and address details, and Experian will accept that data and simply mark your file with a negative mark because a new credit agreement is registered in your name.

    They will not alert you to false date of birth data and it seems they will not alert the bank who gave them the data either because the bank will just carry on like normal same as the CRA until someone says "Hey, what are you playing at?"

    Furthermore, when I point out that there is an obvious date of birth mismatch, Experian Company Representative says date of birth is not the only identifying data they use . What planet is he on ? Those of us that understand relational databases have to wonder whether he has any skill in the realm of data science at all ?

    My Experian CRA record has tens of entries recorded over decades all with the correct date of birth, yet now it has one two month old one with a totally incorrect date of birth - the fraudulent credit agreement.

    I am an established case with very consistent personal data. If it can happen to my data record at Experian, it can happen to thousands.

    And the official Experian spokesperson on MSE (yes they have one surprise surprise) says date of birth is not the only identifying factor . He invites me to send an email to them to show them what's wrong with my records. I have declined because what I have discovered is so glaringly incorrect that it should never have made it past an input filter into the database.

    I have warned him that until they conduct a data clean up on their whole database and discover these dates of birth mismatches (which is an extremely easy task) Experian is breaking the law. Whether he is heeding my advice or not we don't know, because he has gone quiet for a day.

    I think as a responsible officer of Experian refusing to deal with the fundamental nature of the breach and treating it as if it is just a possible glitch on my file only which I need to tell him about, he may himself also be personally breaking the law.

    Sad to say but unless they get their finger out, Experian and their representative appear to have acted recklessly and continue to do so in their obtention and holding of personal data in our names and not heeding warnings to go look for mismatches and manage them correctly.

    I just cannot for the life of me understand how they can so nonchalantly obtain and hold any data against anyone's name when the date of birth they have obtained is wrong. It is not their business to simply be a repository of all transacted data that might be in our names, safeguarding it for ever in case there has been a typo by the people that gave it to them, and the rest of it may be ok. It is their business to reject incorrect data, especially when a fundamental input filter like date of birth shows the data cannot stand.

    All such fundamental mismatches should be quarantined and then verified/rectified with the source trying to input it or it must be destroyed. Whether that quarantine should be even be at the CRA or at the source is another very big question.

    Date of Birth is so fundamental to personal data processing.

    In my case this false data has stood for two months in their database.

    However many more cases are there like this ?

    I have told Experian I can tell them exactly if they let me query their database.

    If I can bloody well tell them how to do it with a standard database query that a 12 year old could do, then why are they doing nothing to clean up their act?

    I have another example of where Experian's personal data protection may be flawed, and that relates to gaining access to full online credit reports. I know that CRAs themselves are constantly under attack to release our data to fraudsters who would use it as an aide memoire to launch attacks. I have discovered that with surprisingly little security data being verified, in certain somewhat surprising circumstances Experian can be persuaded by phone to delete previous accounts or previous failed registrations where documentary evidence was demanded but never provided. If it was demanded previously then how is it suddenly not necessary on the strength of a phone call a year or two later? The inconsistency is worrying.

    I also have a fear that they might then allow a brand new squeaky clean registration with only 3 out of four registration security questions correct. The security questions are tough enough (if you dont already have a copy of a previous CRA report to crib from) but surely they must ALL be answered correctly to get access to a spanking new report?
    In my case a version of my credit report is already in the hands of fraudsters courtesy of another CRA with a security hole at the time, CallCredit now known more by its trading name Noddle.


    Running CRAs like this is not the way to protect us - this way we are all made more vulnerable.

    What on earth is happening? We are also very clearly being badly let down big time by the Information Commissioners Office. Do we have an Official ICO Representative on MSE?
    Last edited by VictimOfImpersonation; 29-12-2013 at 3:09 PM.
Page 3
    • Joe_Bloggs
    • By Joe_Bloggs 31st Dec 13, 10:54 AM
    • 4,493 Posts
    • 1,583 Thanks
    Joe_Bloggs
    For those who have too much time on their hands I suggest Genealogy.
    With the online tools it is possible to see date of birth and mothers maiden name.

    Given these are easily memorable but openly researchable facts they should not form a part of any rigorous security check for identity.

    If the fraudsters can't get your date of birth correct then they are probably guessing from a photo or behaviour. (online media)

    I suspect that there is a tolerance for banking fraud within financial institutions. Some losses are acceptable given the time an effort and cost to change to a more secure but possibly unpopular means of consumer interface.

    J_B.
    • GazNicki
    • By GazNicki 31st Dec 13, 11:33 AM
    • 100 Posts
    • 31 Thanks
    GazNicki
    Lord, I suspect the OP is retired with a long and empty road ahead of him. If not, maybe he'll go back to work soon and give his rantings a rest.



    You got that right. The OP is a man on a mission, there is little point in trying to engage with him. He will patronise and ignore good advice till the sky turns green. Makes for amusing reading though.
    Originally posted by Dovah_diva
    I too agree that the OP is clearly an individual with far too much time on his hands, although I found his posts to be far from amusing.

    This could easily be condensed into one smaller post that simply read:

    "I have found an error on my credit file which would instigate someone untowards has applied for credit in my name. I have contacted the CRA in question and asked them to look into this. Additionally, I have also contacted my Bank who has issued the credit incorrectly, and am awaiting their response.

    I mention this because it was flagged up by an incorrect DOB on my credit file. As I actively monitor my Credit Report this was flagged up to me quickly.

    I suggest that other members also have a look through their credit files and check that the details of all credits, including DOB information, is correct as this could indicate foul play."

    This would probably have been rewarded with a hundred people replying with messages of thanks and blowing smoke up the OPs !!!! as he clearly wants. Instead he has made himself look narcissistic with his posts and insulted a number of people along the way. Shame on you OP!
    Last edited by GazNicki; 31-12-2013 at 11:40 AM.
  • VictimOfImpersonation
    I guess you might be forgiven for your limited takes on all this if you are well-meaning. If you are not well-meaning then only you know what motivates you.

    I am not interested in who hits the MSE Thanks button. I am interested in toppling bad business or bringing it to heel. It is dirty work and it is often thankless.

    1 Negative factors
    • You have recently opened 1 or more new credit accounts. No I didn't. A fraudster did. With an incorrect date of birth. My bank of umpteen years and umpteen products issued it and told my CRA of umpteen years that I am 8 years younger than they thought I was. They swallowed it and for good measure gave me this negative factor for recently opening a new credit agreement. They know about it - it is a general problem. They don't seem to care.
    0 changes since last report (despite issuing the clean-up invitation to Experian). We still live in hope.

    See more ?
    Tomorrow then - let us see what the New Year brings.
  • goonarmy
    I guess you might be forgiven for your limited takes on all this if you are well-meaning. If you are not well-meaning then only you know what motivates you.

    I am not interested in who hits the MSE Thanks button. I am interested in toppling bad business or bringing it to heel. It is dirty work and it is often thankless.

    1 Negative factors
    • You have recently opened 1 or more new credit accounts. No I didn't. A fraudster did. With an incorrect date of birth. My bank of umpteen years and umpteen products issued it and told my CRA of umpteen years that I am 8 years younger than they thought I was. They swallowed it and for good measure gave me this negative factor for recently opening a new credit agreement. They know about it - it is a general problem. They don't seem to care.
    0 changes since last report (despite issuing the clean-up invitation to Experian). We still live in hope.

    See more ?
    Tomorrow then - let us see what the New Year brings.
    Originally posted by VictimOfImpersonation
    Thankless or fruitless? Im not sure you are aware of the difference.
    • Gordon Hose
    • By Gordon Hose 31st Dec 13, 2:16 PM
    • 6,057 Posts
    • 4,113 Thanks
    Gordon Hose
    Experian just report what the banks send them, they don't make stuff up and add it to your file for a giggle.

    Maybe start with the financial organisation that recorded the fraudulent info and go from there?
  • VictimOfImpersonation
    As I was saying, I guess you might be forgiven for your limited takes on all this if you are well-meaning. If you are not well-meaning then only you know what motivates you.

    I am not interested in who hits the MSE Thanks button. I am interested in toppling bad business or bringing it to heel. It is dirty work and it is often thankless.

    1 Negative factors
    • You have recently opened 1 or more new credit accounts. No I didn't. A fraudster did. With an incorrect date of birth. My bank of umpteen years and umpteen products issued it and told my CRA of umpteen years that I am 8 years younger than they thought I was. They swallowed it and for good measure gave me this negative factor for recently opening a new credit agreement. They know about it - it is a general problem. They don't seem to care.
    0 changes since last report (despite issuing the clean-up invitation to Experian). We still live in hope.

    See more ?
    Tomorrow then - let us see what the New Year brings.
  • goonarmy
    As I was saying, I guess you might be forgiven for your limited takes on all this if you are well-meaning. If you are not well-meaning then only you know what motivates you.

    I am not interested in who hits the MSE Thanks button. I am interested in toppling bad business or bringing it to heel. It is dirty work and it is often thankless.

    1 Negative factors
    • You have recently opened 1 or more new credit accounts. Blah blah blah
    0 changes since last report (despite issuing the clean-up invitation to Experian). We still live in hope.

    See more ?
    Tomorrow then - let us see what the New Year brings.
    Originally posted by VictimOfImpersonation
    See post number 49
    • matttye
    • By matttye 31st Dec 13, 2:32 PM
    • 4,748 Posts
    • 2,994 Thanks
    matttye
    Doing a mass cleanup could cause more trouble than it's worth.

    If you think for just one second, it's not unheard of that people make typos when entering personal data. If I accidentally enter my year of birth as 1989 rather than 1988, it would be more distressing to me for my entire account history to suddenly disappear than for it to simply show the incorrect DOB.

    The system DOES need change, but not on a mass automated scale as you're proposing. What should happen is that Experian and the other CRA's should remove data from your credit files without recourse to the lenders if you can prove the data relating to the account has nothing to do with you. And there should be a time limit for them to do so.
    What will your verse be?

    R.I.P Robin Williams.
    • Cornucopia
    • By Cornucopia 31st Dec 13, 2:37 PM
    • 14,009 Posts
    • 17,546 Thanks
    Cornucopia
    I agree. This whole thing seems to be based on the OP's misunderstanding of what constitutes inaccurate data.

    Just because the DOB is different, doesn't automatically make this data inaccurate. Yes, in an ideal world it would be raised as a query - but to discard it altogether would not serve the purpose of the CRAs.
    Last edited by Cornucopia; 31-12-2013 at 2:45 PM.
    I'm a Board Guide on the The Money Savers Arms, Phones & TV, Techie Stuff, In My Home,
    and Food Shopping boards. I'm a volunteer to help the boards run smoothly, and I can move and merge threads there.

    Any views (especially those on the UK TV Licence) are mine and not the official line of moneysavingexpert.com.

    Board guides are not moderators. If you spot an inappropriate or illegal post then please report it to forumteam@moneysavingexpert.com
  • VictimOfImpersonation
    Doing a mass cleanup could cause more trouble than it's worth.

    If you think for just one second, it's not unheard of that people make typos when entering personal data. If I accidentally enter my year of birth as 1989 rather than 1988, it would be more distressing to me for my entire account history to suddenly disappear than for it to simply show the incorrect DOB.
    Originally posted by matttye
    Matt I understand your concern entirely, but the effect you are worried about is not what I proposed.

    The initial query of the database can be done more or less instantly by the CRAs. So much so that I am sure they have done it many times. It is such an obvious query to run. They and their partner/providers simply do not wish then to do the costly amount of staged clean-up work that it would require over many months to sub-categorise and resolve the difficult mismatches or to open themselves up to fines, sanctions and penalties from ICO and FCA when they self-report breaches of the past.

    Mismatches like mine where they have held reams of data on my accounts for decades all with the same date of birth and same address would be easy to categorise as "obviously incorrect recent input - query immediately with provider - suspect fraud - quarantine entry and remove from searchable record - alert VictimOfImpersonation"

    An initial dob mismatch query would highlight where two or more dobs were present. Once the obviously recent and simple to solve glitches like mine have been dealt with, the rest can be sifted even more finely into a plan of clean-up work in partnership with whomever provided the data. Reports should be made to and monitored by ICO on how they are getting on with fixing the various breaches they and the providers have been guilty of.

    I am not suggesting that whole credit reports are taken off-line while they do it, but if you are a young person starting out on building credit with two credit agreements for example with two dobs then I understand your concern if you found both got quarantined because neither carried sufficient weight to be seen as the correct one!

    This wouldn't happen. They will have to manage it carefully, and yes it will cost them dear to do so.

    And Cornucopia, I have cleaned up City databases so I know what I am talking about, thanks, and I very much hope you are posting out of a simple concern and not a position of knowledge.
    Last edited by VictimOfImpersonation; 31-12-2013 at 3:01 PM.
    • CKhalvashi
    • By CKhalvashi 31st Dec 13, 3:09 PM
    • 9,023 Posts
    • 25,830 Thanks
    CKhalvashi
    I agree. This whole thing seems to be based on the OP's misunderstanding of what constitutes inaccurate data.

    Just because the DOB is different, doesn't automatically make this data inaccurate. Yes, in an ideal world it would be raised as a query - but to discard it altogether would not serve the purpose of the CRAs.
    Originally posted by Cornucopia
    I agree with this, too.

    I had a credit agreement (done in branch), in my younger days show my dob as 1872 (instead of 1982), and whilst it was unfortunate, the loan went through, it was sorted when I'd noticed it (which was just before a mortgage application)

    If I'd lost 6 years of credit history because of that, I'd have been a little annoyed.

    CK
    "I kada sanjamo san, nek bude hiljadu raznih boja" (L. Stamenkovic)

    Call me Remainer or Romaniac, but not Remoaner. It's insulting and I have the right to have my voice heard too.

    I can spell, my iPad can't.
    • Cornucopia
    • By Cornucopia 31st Dec 13, 3:11 PM
    • 14,009 Posts
    • 17,546 Thanks
    Cornucopia
    I have my own thankless crusade in the shape of BBC Licence Fee enforcement (which I believe to be unlawful in the way it treats people who have no legal need for a licence).

    So I do understand the way a cause can assume a personal level of importance that others may not accept. But I also understand how large organisations do not do these things lightly - they will probably have legal advice on what constitutes inaccurate data, and whilst you may be right to challenge their definition, it may well turn out that the ICO supports them, not you.

    I have also worked on many data migration and cleansing projects, and I understand that they are normally much more difficult than they initially appear. The devil is always in the detail.
    I'm a Board Guide on the The Money Savers Arms, Phones & TV, Techie Stuff, In My Home,
    and Food Shopping boards. I'm a volunteer to help the boards run smoothly, and I can move and merge threads there.

    Any views (especially those on the UK TV Licence) are mine and not the official line of moneysavingexpert.com.

    Board guides are not moderators. If you spot an inappropriate or illegal post then please report it to forumteam@moneysavingexpert.com
  • VictimOfImpersonation
    I agree with this, too.

    I had a credit agreement (done in branch), in my younger days show my dob as 1872 (instead of 1982), and whilst it was unfortunate, the loan went through, it was sorted when I'd noticed it (which was just before a mortgage application)

    If I'd lost 6 years of credit history because of that, I'd have been a little annoyed.

    CK
    Originally posted by CKhalvashi
    Are you Mr Khalvashi, a businessman of repute, using your knowledge to knock my suggestion because you have an ulterior motive, or because you do not understand how a data clean-up could be responsibly managed?

    I have also worked on many data migration and cleansing projects, and I understand that they are normally much more difficult than they initially appear. The devil is always in the detail
    by Cornucopia
    Yes yes, such projects always flounder into compromise due to cost considerations, but do you understand how the mismatch queries are easy? And how the further sifting and categorising (querying) of mismatches is easy? Please do not assist the CRA viewpoint here by blowing smoke they might feel more than comfortable hiding behind.
    Last edited by VictimOfImpersonation; 31-12-2013 at 3:19 PM.
    • Cornucopia
    • By Cornucopia 31st Dec 13, 3:13 PM
    • 14,009 Posts
    • 17,546 Thanks
    Cornucopia
    1872
    Originally posted by CKhalvashi
    I assume that is a typo, as no system should be readily accepting that there are 141 year-olds applying for credit.

    Apologies and congrats if you really are 141.
    Last edited by Cornucopia; 31-12-2013 at 3:15 PM.
    I'm a Board Guide on the The Money Savers Arms, Phones & TV, Techie Stuff, In My Home,
    and Food Shopping boards. I'm a volunteer to help the boards run smoothly, and I can move and merge threads there.

    Any views (especially those on the UK TV Licence) are mine and not the official line of moneysavingexpert.com.

    Board guides are not moderators. If you spot an inappropriate or illegal post then please report it to forumteam@moneysavingexpert.com
  • VictimOfImpersonation
    I assume that is a typo, as no system should be readily accepting that there are 141 year-olds applying for credit...
    Originally posted by Cornucopia
    Yes, just as no system should be accepting a new credit agreement application against anyone's name with an incorrect date of birth where there are already a number of accounts in the database showing the correct dob. The computer at the bank should have error messaged the input immediately and so should it at the CRAs when it got through the bank.

    So now they will both have to pay specialist forensic database experts (they surely haven't been employing them to date?) to clean up the mistakes of the past.
    • Duke203
    • By Duke203 31st Dec 13, 3:47 PM
    • 98 Posts
    • 348 Thanks
    Duke203
    So now they will both have to pay specialist forensic database experts (they surely haven't been employing them to date?) to clean up the mistakes of the past.
    Originally posted by VictimOfImpersonation
    Maybe ask someone to post this recommendation on a specialist IT board. I haven't seen anyone on this thread who knows anything about computers, so it may get more visibility there.
    Last edited by Duke203; 31-12-2013 at 3:51 PM. Reason: Minor tweakage
    "Chuck Norris can remain solvent for longer than the markets can remain irrational"
    • CKhalvashi
    • By CKhalvashi 31st Dec 13, 3:55 PM
    • 9,023 Posts
    • 25,830 Thanks
    CKhalvashi
    Are you Mr Khalvashi, a businessman of repute, using your knowledge to knock my suggestion because you have an ulterior motive, or because you do not understand how a data clean-up could be responsibly managed?
    Originally posted by VictimOfImpersonation
    Who I am has nothing to do with the fact that the CRA only reports what is given to them, instead of creating information by itself. I am therefore declining the opportunity to answer the question.

    Yes yes, such projects always flounder into compromise due to cost considerations, but do you understand how the mismatch queries are easy? And how the further sifting and categorising (querying) of mismatches is easy? Please do not assist the CRA viewpoint here by blowing smoke they might feel more than comfortable hiding behind.
    It would depend largely how the system is set up. The Experian system, from what I am aware, was created before credit referencing was the norm.

    At the same time, should I apply for credit in my home country, the system is structured in such a way that it's down to my last three months' bank statements and a declaration of any debt I may/may not have, with security for any borrowing being the norm.

    Whether I prefer this system, and whether I prefer the UK system is not the point here; what is more important is for banks to be able to verify and share information in an effective manner, which is what they're doing 99.9% of the time.

    It is more than acceptable for a typo to be on a credit report somewhere, and whilst some may argue that this should stop any credit application going through, others would rather not waste a search.

    CK
    "I kada sanjamo san, nek bude hiljadu raznih boja" (L. Stamenkovic)

    Call me Remainer or Romaniac, but not Remoaner. It's insulting and I have the right to have my voice heard too.

    I can spell, my iPad can't.
    • Cornucopia
    • By Cornucopia 31st Dec 13, 4:01 PM
    • 14,009 Posts
    • 17,546 Thanks
    Cornucopia
    A
    Yes yes, such projects always flounder into compromise due to cost considerations, but do you understand how the mismatch queries are easy? And how the further sifting and categorising (querying) of mismatches is easy? Please do not assist the CRA viewpoint here by blowing smoke they might feel more than comfortable hiding behind.
    Originally posted by VictimOfImpersonation
    Identifying the inconsistencies is easy enough. The question is what do the inconsistencies mean, and what should be done about them?
    I'm a Board Guide on the The Money Savers Arms, Phones & TV, Techie Stuff, In My Home,
    and Food Shopping boards. I'm a volunteer to help the boards run smoothly, and I can move and merge threads there.

    Any views (especially those on the UK TV Licence) are mine and not the official line of moneysavingexpert.com.

    Board guides are not moderators. If you spot an inappropriate or illegal post then please report it to forumteam@moneysavingexpert.com
  • VictimOfImpersonation
    ...has nothing to do with the fact that the CRA only reports what is given to them, instead of creating information by itself.
    Originally posted by CKhalvashi
    But we know that is a fallacy not a fact. What is Delphi if it isn't new information derived from the faulty information CRAs recklessly store because they don't check it?

    How can any licensed data controller claim that routinely not checking the data they receive with verifiers they already possess is an acceptable defence to 55(1)?
    ...what is more important is for banks to be able to verify and share information in an effective manner, which is what they're doing 99.9% of the time.
    You have no evidence to support it, and on my single file I have many instances to show that your 99.9% figure is a joke.
    It is more than acceptable for a typo to be on a credit report somewhere, and whilst some may argue that this should stop any credit application going through, others would rather not waste a search.
    OK that simply tells me that you have a point of view but your line of knowledge doesn't help you understand the danger in what I am saying. It is the complexity of attempting a discussion like this amongst a general audience who have been groomed to "want" a CRA file where they can "spend" searches that makes the banks and CRAs smile and think they might get away with it.
    Last edited by VictimOfImpersonation; 31-12-2013 at 4:08 PM.
    • CKhalvashi
    • By CKhalvashi 31st Dec 13, 4:13 PM
    • 9,023 Posts
    • 25,830 Thanks
    CKhalvashi
    You have no evidence to support it, and on my single file I have many instances to show that your 99.9% figure is a joke.
    Originally posted by VictimOfImpersonation
    What your file shows is that someone used your name to apply for credit when the credit was applied for.

    Lets be honest, this is the case, as nowhere on your file does it explicitly state you did this.

    If you want the information removed, speak to the creditor, as they are the only ones able to remove it, as was explained to you 3 pages ago.

    CK
    "I kada sanjamo san, nek bude hiljadu raznih boja" (L. Stamenkovic)

    Call me Remainer or Romaniac, but not Remoaner. It's insulting and I have the right to have my voice heard too.

    I can spell, my iPad can't.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

2,534Posts Today

8,088Users online

Martin's Twitter