Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    VictimOfImpersonation
    Experian's Fundamental Breach of Data Protection Act 1998
    • #1
    • 29th Dec 13, 2:57 PM
    Experian's Fundamental Breach of Data Protection Act 1998 29th Dec 13 at 2:57 PM
    In another thread, which discusses an MSE news story about worrying revelations on security of personal data at Compare The Market (an organisation which itself will have close links to CRAs by virtue of it collecting personal data and constantly causing ID and credit checks on our files), I have got into a surprising ding dong with Experian Company Representative. According to the signature, he is Head Of Consumer Affairs at Experian (UK I assume and not worldwide - they are a giant worldwide CRA).

    He does post at weekends when it suits him, but he has gone strangely quiet since I told him Experian were breaking the law.

    I have discovered that Experian tolerate false data on our records to the extent that if you have a good credit history, it seems a fraudster can use an incorrect date of birth to secure credit in your name with the barest name and address details, and Experian will accept that data and simply mark your file with a negative mark because a new credit agreement is registered in your name.

    They will not alert you to false date of birth data and it seems they will not alert the bank who gave them the data either because the bank will just carry on like normal same as the CRA until someone says "Hey, what are you playing at?"

    Furthermore, when I point out that there is an obvious date of birth mismatch, Experian Company Representative says date of birth is not the only identifying data they use . What planet is he on ? Those of us that understand relational databases have to wonder whether he has any skill in the realm of data science at all ?

    My Experian CRA record has tens of entries recorded over decades all with the correct date of birth, yet now it has one two month old one with a totally incorrect date of birth - the fraudulent credit agreement.

    I am an established case with very consistent personal data. If it can happen to my data record at Experian, it can happen to thousands.

    And the official Experian spokesperson on MSE (yes they have one surprise surprise) says date of birth is not the only identifying factor . He invites me to send an email to them to show them what's wrong with my records. I have declined because what I have discovered is so glaringly incorrect that it should never have made it past an input filter into the database.

    I have warned him that until they conduct a data clean up on their whole database and discover these dates of birth mismatches (which is an extremely easy task) Experian is breaking the law. Whether he is heeding my advice or not we don't know, because he has gone quiet for a day.

    I think as a responsible officer of Experian refusing to deal with the fundamental nature of the breach and treating it as if it is just a possible glitch on my file only which I need to tell him about, he may himself also be personally breaking the law.

    Sad to say but unless they get their finger out, Experian and their representative appear to have acted recklessly and continue to do so in their obtention and holding of personal data in our names and not heeding warnings to go look for mismatches and manage them correctly.

    I just cannot for the life of me understand how they can so nonchalantly obtain and hold any data against anyone's name when the date of birth they have obtained is wrong. It is not their business to simply be a repository of all transacted data that might be in our names, safeguarding it for ever in case there has been a typo by the people that gave it to them, and the rest of it may be ok. It is their business to reject incorrect data, especially when a fundamental input filter like date of birth shows the data cannot stand.

    All such fundamental mismatches should be quarantined and then verified/rectified with the source trying to input it or it must be destroyed. Whether that quarantine should be even be at the CRA or at the source is another very big question.

    Date of Birth is so fundamental to personal data processing.

    In my case this false data has stood for two months in their database.

    However many more cases are there like this ?

    I have told Experian I can tell them exactly if they let me query their database.

    If I can bloody well tell them how to do it with a standard database query that a 12 year old could do, then why are they doing nothing to clean up their act?

    I have another example of where Experian's personal data protection may be flawed, and that relates to gaining access to full online credit reports. I know that CRAs themselves are constantly under attack to release our data to fraudsters who would use it as an aide memoire to launch attacks. I have discovered that with surprisingly little security data being verified, in certain somewhat surprising circumstances Experian can be persuaded by phone to delete previous accounts or previous failed registrations where documentary evidence was demanded but never provided. If it was demanded previously then how is it suddenly not necessary on the strength of a phone call a year or two later? The inconsistency is worrying.

    I also have a fear that they might then allow a brand new squeaky clean registration with only 3 out of four registration security questions correct. The security questions are tough enough (if you dont already have a copy of a previous CRA report to crib from) but surely they must ALL be answered correctly to get access to a spanking new report?
    In my case a version of my credit report is already in the hands of fraudsters courtesy of another CRA with a security hole at the time, CallCredit now known more by its trading name Noddle.


    Running CRAs like this is not the way to protect us - this way we are all made more vulnerable.

    What on earth is happening? We are also very clearly being badly let down big time by the Information Commissioners Office. Do we have an Official ICO Representative on MSE?
    Last edited by VictimOfImpersonation; 29-12-2013 at 3:09 PM.
Page 5
  • VictimOfImpersonation
    Oh dear, I see Experian company representative has added his thanks to your post.

    I think readers can see his frustration, but they can't see that he has got his finger out.

    There is a general security hole James. It involves Experian. What are you doing about it?

    Meantime others have been busy on the case instead of fiddling around on MSE.
  • VictimOfImpersonation
    OK. In the last 24 hours I have established that Experian where involved in a real-time credit check as part of the bank's online credit card application decision process. Clearly whatever electronic message came back from Experian was unfit for any purpose to do with identifying a fraudulent application in my name by a third party.

    I think both the card provider and Experian must have been playing a different game when they devised that particular link-up.

    By the way. Today is Day 74 after that electronic link-up was made and the cocked-up decision let a fraudulent application through the net and all the systems just forgot about it, except for adding over limit and late charges (and interest I guess). Still no alerts on any of the three CRAs, still no corrections on Experian or CallCredit, still no CIFAS registration showing. Just a moderate dent in my Experian credit score so far for the mere fact I apparently took out a new credit agreement recently. Way to go fellas !
    Last edited by VictimOfImpersonation; 08-01-2014 at 1:29 AM.
  • VictimOfImpersonation
    Update over last 24 hours:
    • No change to CRA files which still show the position as at the beginning of December.
    • That includes the fact that I can see no CIFAS registration yet either.
    • No telephone calls.
    • No emails.
    • No statements received for the fraudulent card account in question since it was issued 2 months ago.
    • What I have received in the last 24 hours is a special letter dated 2nd January 2014 addressed to me as an out of order new account customer, but it takes the form only of a gentle reminder to pay.
    The account is over credit limit but the letter does not mention the credit limit, just the outstanding balance and it only asks for 5% of the outstanding balance which will do nothing to take it back under the credit limit. So next month no doubt they would plan to add a third 12 overcredit limit charge as well as interest.

    There is nothing in the letter which actually says that the account is out of order. It's just a gentle reminder to pay something. I find this quite remarkable bearing in mind that the card was maxed out by early November and charges soon took it way over credit limit and no payment has ever been made on it. The card provider seems remarkably laid back about it.

    Anyway, let us not forget that the card provider was told this was a fraudulently opened account over three weeks ago yet I have received two further computer produced letters since then sent oblivious to the fraud notification.

    I am making this update on the Experian file because Experian ought to be the first CRA that gets updated by the card provider since they were partners in the joint entreprise to credit check the fraudulent application and ended up between then deciding there was no reason to reject it.

    In these threads I have been roundly criticised along the lines of "Why don't you just follow procedures and report the error on your credit file to the CRA in the normal way?"

    Well I did notify the card provider in the normal way and chase them, and I did notify CallCredit in the normal way and chased them.

    Equifax appear to be oblivious of any new credit agreement so I can only assume the card provider does not have much of a relationship with Equifax. Equifax are the alert service I was subscribed to and they have singularly failed to pick up the fraud either at the time or since. I am not sure what useful purpose there is in contacting them about an omission based purely on the fact that some major credit card players seem to cut Equifax out of the game?

    Experian is the only party with actual involvement in this fiasco that I have not notified directly. Via these threads I have told Experian company representative of the security hole in the arrangement they have with the card provider. He has not been best pleased by me refusing to make his job easy by identifying myself exactly and my insistence that they can easily establish the security hole if they do a date of birth mismatch query using their intelligence to categorise the breaches. The main reasoning for not notifying them directly has been very simple - it was a test - more than one in fact, and we shall alllearn from it (although industry insiders are clearly bored with the prospect of the rest of us learn unresponsive and mediocre their industries might be in responding to real criticisms), so anyway, the tests:
    • Would they do a date of birth mismatch query on their entire database of any description in order to discover obvious fraud like mine?
    • Having been central to the card provider's instant online credit check / decision to issue a new card, how fast would Experian update their record on the car provider's say so?
    The answer to the first one I think we can assume is 'No, they don't want to' (I believe they would instantly have to report themselves to ICO and agree a clean-up schedule if they did a proper mismatch query on their database because I think with good reason that it contains a lot of obviously inaccurate data).
    The answer to the second is that it is 24 days since I notified the card provider of the fraud and no correction seems yet to have been made.
    It is now 77 days since the original Experian "live check" was used to assist the card provider in making an instant decision to issue a card to the fraudsters with solely a partial name and address and all other application data including date of birth being completely false.

    Please remember there have been no alerts whatsoever - I discovered the fraud myself after an over credit limit charge notification letter arrived.

    On the Are CRAs unfit for purpose and should they be reformed? thread I posed a question about whether any MSE'er had ever received an alert from a CRA which actually turned out to be actual fraud (as opposed to some other chase round the houses leading to a conclusion that it was some cck-up or other frustrating non-event?

    No-one confirmed that they knew of such an instance. One lending industry insider effectively just said don't be so stupid, hundreds will have been alerted.

    I am struggling to believe that even tens might have been alerted, but I do know that 4 million of us have already been the victims of ID Fraud because CallCredit use the fact as a selling point for their alert services
    Last edited by VictimOfImpersonation; 09-01-2014 at 1:29 AM.
  • VictimOfImpersonation
    Ah, at last!

    Some changes have occurred on my Experian file today

    Your current score is: 999


    Factors affecting your score:

    5 Positive factors
    • Your most recent mortgage account has been running for over 12 months
    • The usage of your available credit indicates a lower risk
    • The value of your highest credit limit indicates a lower risk
    • The age of your accounts indicates lenders are likely to view you as lower risk
    • You have a significant number of successfully settled credit accounts
    See more


    0 Negative factors
    • No Negative factors


    2 changes since last report
    • You have fewer recently opened credit accounts
    • You are using less of your available revolving credit



    I publish the above not only to show there has been a change, but in the hope that it might give some readers an idea of the sort of thing that Experian say contributes to what with them I think is a perfect score of 999.

    So, I guess we'll never know* if Experian got their finger out and cleaned up the obvious dob mismatch themselves as part of a general data cleanup, or if it was as a result of the card provider requesting the deletion of the incorrect account. On my Experian file it is now as if that unalerted 75 day old fraudulent account never existed.*

    *Edit: Actually we do know, it wasn't Experian that tidied it up, and it is not true to say my file is exactly as if the fraudulent account never existed - there is from today a good clue that it might have - a CIFAS registration record : "Victim of Impersonation {That's me}- Use, by another person, of this name and/or address"
    Last edited by VictimOfImpersonation; 09-01-2014 at 4:18 PM.
    • rizla king
    • By rizla king 19th Jan 14, 2:06 PM
    • 2,843 Posts
    • 1,903 Thanks
    rizla king
    http://experian.co.uk/consumer/questions/askjames357.html

    Any lender that shares credit account information through a credit reference agency is certainly responsible for making sure the information is accurate and kept up to date. The credit reference agency should also take reasonable steps to make sure the information is correct too, such as making practical checks of the information as it is received.
    by James Jones
  • VictimOfImpersonation
    http://experian.co.uk/consumer/quest...kjames357.html
    Any lender that shares credit account information through a credit reference agency is certainly responsible for making sure the information is accurate and kept up to date. The credit reference agency should also take reasonable steps to make sure the information is correct too, such as making practical checks of the information as it is received.
    by James Jones aka Experian company representative:
    by rizla king
    (my underline) Rizla king you are a mine (or should we say diligent miner!) of the very best nuggets of pertinent information. Thank you from all of us who have to date suffered the insufferable comments that CRAs just record what they are given and should not be blamed for that.
    Last edited by VictimOfImpersonation; 20-01-2014 at 2:41 PM.
    • MrSilk
    • By MrSilk 20th Jan 14, 2:44 PM
    • 1,105 Posts
    • 931 Thanks
    MrSilk
    VictimOfImpersonation, calm down, the whole point of posting here, is for help and advice, not to be ignorant towards other users. Get over it.
  • VictimOfImpersonation
    VictimOfImpersonation, calm down, the whole point of posting here, is for help and advice, not to be ignorant towards other users. Get over it.
    Originally posted by MrSilk
    What are you on about, Mr.Silk? Rizla king posted a very pertinent quote (not by a user but by the Head of Consumer Affairs of Experian!) and I am grateful for it and gave my thanks. Have you misinterpreted my thanks ?
    • MrSilk
    • By MrSilk 20th Jan 14, 3:02 PM
    • 1,105 Posts
    • 931 Thanks
    MrSilk
    What are you on about, Mr.Silk? Rizla king posted a very pertinent quote (not by a user but by the Head of Consumer Affairs of Experian!) and I am grateful for it and gave my thanks. Have you misinterpreted my thanks ?
    Originally posted by VictimOfImpersonation
    Oops, apologies
  • VictimOfImpersonation
    Well that's alright, Mr.Silk! Glad we cleared that up so fast

    My apologies too for obviously having given you the impression that every time I post I am biting someone's head off !

    ... mind you, if James Jones is still wearing his, it would be nice if he responded here to straighten out an inconsistency or two
    Last edited by VictimOfImpersonation; 20-01-2014 at 3:08 PM.
    • brettcta
    • By brettcta 20th Jan 14, 3:13 PM
    • 3,757 Posts
    • 3,605 Thanks
    brettcta
    won't somebody please think of the children?
    helpful tips
    it's spelt d-e-f-i-n-i-t-e-l-y
    there - 'in or at that place'
    their - 'owned by them'
    they're - 'they are'
    it's bought not brought (i just bought my chicken a suit from that new shop for 6.34)
  • VictimOfImpersonation
    Calling James Jones; Earth to CRA, Experian company representative, can you explain the planetary inconsistency please?
    http://experian.co.uk/consumer/quest...kjames357.html
    Any lender that shares credit account information through a credit reference agency is certainly responsible for making sure the information is accurate and kept up to date. The credit reference agency should also take reasonable steps to make sure the information is correct too, such as making practical checks of the information as it is received.
    by James Jones aka Experian company representative:
    by rizla king
    (my underline)

    Seems some orbits are out of alignment !

    You will recall you told me that it was not up to Experian to spot that the date of birth and indeed everything else except my partial name and address was false on a new record presented to you by Barclaycard as part of an online credit card app live decision-making process, and later as conformation of a new credit agreement which you added to my record pari passu with some 40 other records that were consistent with each other but the latest stuck out like a sore thumb and was missed.

    It was of course fraudulent and everyone missed it.

    Doesn't tally with your quote above discovered on the Experian website by rizla king, does it?
  • kirkbyinfurnesslad
    won't somebody please think of the children?
    Originally posted by brettcta
    quite is this thread still going on.....
  • VictimOfImpersonation
    quite is this thread still going on.....
    Originally posted by kirkbyinfurnesslad
    ... yes of course it is still going on And if your username gives any indication of the location of your day job or one you have done in the past, then perhaps you might give us an insider's take on the latest question ? The question is an equally valid one to CallCredit. It is not clear whether Equifax threw up any kind of error when the data hit them. Sadly they didn't record a search or a new agreement and worse still they failed to Alert me (My Alert subscription is with Equifax). I do however know now that they were contacted at the time and belatedly the search has been manually added to my file with them.

    But back to James' "Ask James" page:

    It seems James Jones went into print some time ago on Experian's website and freely advised that CRAs have a responsibility to check information is correct at the time it is received which is what we would all reasonably expect if we thought about it long enough.

    A number of posters argued black was white on that question when I first raised it - claiming "CRAs just store the information" or "CRAs just record what the data provider gives them" or some such.

    That is why this thread is still going on, and that is why I have asked James to respond again.

    The counter-assertions knocking mine never were defensible, but thanks to rizla king, we can now see that even the likes of James Jones had seen the unreasonableness of such a contention when he was tasked to think about what he wanted to write as a piece on the Experian website.
    Last edited by VictimOfImpersonation; 22-01-2014 at 11:23 AM.
    • Top-ranking Bug
    • By Top-ranking Bug 22nd Jan 14, 12:53 PM
    • 86 Posts
    • 127 Thanks
    Top-ranking Bug
    Gosh, what an incredibly pointless waste of time this entire thread has been! I am a masochist, otherwise I wouldn't have continued to the end, although I admit I did skip a lot of the ranting and raving monologues by the OP.

    What WAS the point of this thread? I've forgotten. However, I would put money on the OP responding with some sort of cutting, patronising remark as to my employment, sex, or command of the English language...
    I incurred the debt, I repaid the debt - all of it! DMP started with CCCS 20/07/2007 Was 32,735. Paid off all my creditors (June 2013) 7 yrs ahead of original DFD.
    PPI claims won against Barclays x 2/ Egg x 1/ LV x . PPI claims rejected and then upheld Barclays/Egg x 2

  • VictimOfImpersonation
    Well Bug, you lost your money. I just don't understand why you posted. There is nothing difficult to understand here.

    I do now want Experian to tell us why, if they believe it is their duty to check it when they receive it, they are so careless with false data, don't you?
    • meer53
    • By meer53 22nd Jan 14, 7:39 PM
    • 9,602 Posts
    • 14,040 Thanks
    meer53
    Well Bug, you lost your money. I just don't understand why you posted. There is nothing difficult to understand here.

    I do now want Experian to tell us why, if they believe it is their duty to check it when they receive it, they are so careless with false data, don't you?
    Originally posted by VictimOfImpersonation
    No-one else is interested really.
  • kirkbyinfurnesslad
    Whats kirkby in furness got to do with this rubbish?
    • ladeeda
    • By ladeeda 28th Jan 14, 11:17 PM
    • 184 Posts
    • 550 Thanks
    ladeeda
    I have a feeling I might regret this as I am going to say that I get where victim of Impersonation is with this issue.
    This is why - two family members with the same name shared an address for a short time. The only difference between them on paper was their DOB's. One with extremely poor credit and one young with no credit. On being turned down for a flat and a bank account the young one got his credit files. All 3 showed the older members credit data complete with the older members DOB on his files. It has been going on for years - when the old one applied/ies for any thing using his real DOB - it ends up on the young ones CR file. Despite numerous errors being corrected and that the DOB used on the search doesn't match the young ones DOB (the address has not matched for over 2 years now either) the data defaults back to the young ones file. Has been going on for years now. Equifax Experian & CC just keep asking the young one to check his files and let them know of any mistakes, which they do (now) rectify within 28 days. But that's not really good enough - why should he have to do this? It is obviously a computer error that keeps repeating. The case is on it's way to the ICO now so I will update (if any body is interested) as soon as a decision is made.

    The CRA's do not take enough care when checking that the data they are fed is generated to the correct file and in the case I have talked about all 3 CRA's have acknowledged the DOB is not matched when placing data on a file. Surely it should be?
  • Sabbathdei
    I have a feeling I might regret this as I am going to say that I get where victim of Impersonation is with this issue.
    This is why - two family members with the same name shared an address for a short time. The only difference between them on paper was their DOB's. One with extremely poor credit and one young with no credit. On being turned down for a flat and a bank account the young one got his credit files. All 3 showed the older members credit data complete with the older members DOB on his files. It has been going on for years - when the old one applied/ies for any thing using his real DOB - it ends up on the young ones CR file. Despite numerous errors being corrected and that the DOB used on the search doesn't match the young ones DOB (the address has not matched for over 2 years now either) the data defaults back to the young ones file. Has been going on for years now. Equifax Experian & CC just keep asking the young one to check his files and let them know of any mistakes, which they do (now) rectify within 28 days. But that's not really good enough - why should he have to do this? It is obviously a computer error that keeps repeating. The case is on it's way to the ICO now so I will update (if any body is interested) as soon as a decision is made.

    The CRA's do not take enough care when checking that the data they are fed is generated to the correct file and in the case I have talked about all 3 CRA's have acknowledged the DOB is not matched when placing data on a file. Surely it should be?
    Originally posted by ladeeda

    Well CRAs are not a proper organisation, they only operate to make money out of gullible people, why should they bother doing their job properly ? If they put as much effort into data control as they do into flogging useless "scores" there wouldn't be a problem.
    "What is it now, Ralph?"
    "I'm not worried about Identity Theft...nobody would want to be me!"
    "These go up to 11."
    "Can't you have your ***** cut off ?" "It's not as simple as that, Nigel"
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

2,908Posts Today

7,778Users online

Martin's Twitter