Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

    Experian's Fundamental Breach of Data Protection Act 1998
    • #1
    • 29th Dec 13, 2:57 PM
    Experian's Fundamental Breach of Data Protection Act 1998 29th Dec 13 at 2:57 PM
    In another thread, which discusses an MSE news story about worrying revelations on security of personal data at Compare The Market (an organisation which itself will have close links to CRAs by virtue of it collecting personal data and constantly causing ID and credit checks on our files), I have got into a surprising ding dong with Experian Company Representative. According to the signature, he is Head Of Consumer Affairs at Experian (UK I assume and not worldwide - they are a giant worldwide CRA).

    He does post at weekends when it suits him, but he has gone strangely quiet since I told him Experian were breaking the law.

    I have discovered that Experian tolerate false data on our records to the extent that if you have a good credit history, it seems a fraudster can use an incorrect date of birth to secure credit in your name with the barest name and address details, and Experian will accept that data and simply mark your file with a negative mark because a new credit agreement is registered in your name.

    They will not alert you to false date of birth data and it seems they will not alert the bank who gave them the data either because the bank will just carry on like normal same as the CRA until someone says "Hey, what are you playing at?"

    Furthermore, when I point out that there is an obvious date of birth mismatch, Experian Company Representative says date of birth is not the only identifying data they use . What planet is he on ? Those of us that understand relational databases have to wonder whether he has any skill in the realm of data science at all ?

    My Experian CRA record has tens of entries recorded over decades all with the correct date of birth, yet now it has one two month old one with a totally incorrect date of birth - the fraudulent credit agreement.

    I am an established case with very consistent personal data. If it can happen to my data record at Experian, it can happen to thousands.

    And the official Experian spokesperson on MSE (yes they have one surprise surprise) says date of birth is not the only identifying factor . He invites me to send an email to them to show them what's wrong with my records. I have declined because what I have discovered is so glaringly incorrect that it should never have made it past an input filter into the database.

    I have warned him that until they conduct a data clean up on their whole database and discover these dates of birth mismatches (which is an extremely easy task) Experian is breaking the law. Whether he is heeding my advice or not we don't know, because he has gone quiet for a day.

    I think as a responsible officer of Experian refusing to deal with the fundamental nature of the breach and treating it as if it is just a possible glitch on my file only which I need to tell him about, he may himself also be personally breaking the law.

    Sad to say but unless they get their finger out, Experian and their representative appear to have acted recklessly and continue to do so in their obtention and holding of personal data in our names and not heeding warnings to go look for mismatches and manage them correctly.

    I just cannot for the life of me understand how they can so nonchalantly obtain and hold any data against anyone's name when the date of birth they have obtained is wrong. It is not their business to simply be a repository of all transacted data that might be in our names, safeguarding it for ever in case there has been a typo by the people that gave it to them, and the rest of it may be ok. It is their business to reject incorrect data, especially when a fundamental input filter like date of birth shows the data cannot stand.

    All such fundamental mismatches should be quarantined and then verified/rectified with the source trying to input it or it must be destroyed. Whether that quarantine should be even be at the CRA or at the source is another very big question.

    Date of Birth is so fundamental to personal data processing.

    In my case this false data has stood for two months in their database.

    However many more cases are there like this ?

    I have told Experian I can tell them exactly if they let me query their database.

    If I can bloody well tell them how to do it with a standard database query that a 12 year old could do, then why are they doing nothing to clean up their act?

    I have another example of where Experian's personal data protection may be flawed, and that relates to gaining access to full online credit reports. I know that CRAs themselves are constantly under attack to release our data to fraudsters who would use it as an aide memoire to launch attacks. I have discovered that with surprisingly little security data being verified, in certain somewhat surprising circumstances Experian can be persuaded by phone to delete previous accounts or previous failed registrations where documentary evidence was demanded but never provided. If it was demanded previously then how is it suddenly not necessary on the strength of a phone call a year or two later? The inconsistency is worrying.

    I also have a fear that they might then allow a brand new squeaky clean registration with only 3 out of four registration security questions correct. The security questions are tough enough (if you dont already have a copy of a previous CRA report to crib from) but surely they must ALL be answered correctly to get access to a spanking new report?
    In my case a version of my credit report is already in the hands of fraudsters courtesy of another CRA with a security hole at the time, CallCredit now known more by its trading name Noddle.

    Running CRAs like this is not the way to protect us - this way we are all made more vulnerable.

    What on earth is happening? We are also very clearly being badly let down big time by the Information Commissioners Office. Do we have an Official ICO Representative on MSE?
    Last edited by VictimOfImpersonation; 29-12-2013 at 3:09 PM.
Page 6
    • Top-ranking Bug
    • By Top-ranking Bug 29th Jan 14, 11:54 AM
    • 86 Posts
    • 127 Thanks
    Top-ranking Bug
    Ladeeda, you genius! Thank you for your succinct explanation and example which has clarified this entire thread!!

    I now see what potential problems there are, and I agree with you and the OP! Something should be done if this is not an isolated case, and it would seem it is not.
    Last edited by Top-ranking Bug; 29-01-2014 at 2:23 PM.
    I incurred the debt, I repaid the debt - all of it! DMP started with CCCS 20/07/2007 Was 32,735. Paid off all my creditors (June 2013) 7 yrs ahead of original DFD.
    PPI claims won against Barclays x 2/ Egg x 1/ LV x . PPI claims rejected and then upheld Barclays/Egg x 2

  • VictimOfImpersonation


    Thank you for your email, which we received on XX/01/2014. Your query has been brought to my attention in the Customer Relations team to investigate.

    I can confirm that we are dealing with this matter as an official complaint in accordance with our complaint handling process.

    Please find attached a copy of our complaint handling procedure. This tells you what we will do with your complaint, the time scale we work to and what you can do if you are unhappy with the conclusion.

    In summary, my understanding of your complaint at this time is;

    -A fraudulent online application was made in your name with Barclaycard on XX/10/13, you are unhappy Experian did not alert Barclaycard or anyone regarding this application. As a result this has caused you a great deal of inconvenience of which you are holding Experian jointly responsible for. You believe Experian is in breach of the Data Protection Act 1998 due to failure of checking the consistency of information provided by Barclaycard.

    -You are paying for the CreditExpert service to check your credit report almost daily since you discovered the fraudulent entry and would like a refund of subscription charges until further notice.

    I would begin by explaining that it is my role to investigate the details of your complaint and find an appropriate resolution to the problem you have highlighted. As such I appreciate your patience whilst I have considered all the information available including details you have provided.

    I am very sorry to hear of the circumstances that have led to your complaint; I fully appreciate your aim to ensure that the information recorded on your credit report is a wholly accurate representation of your credit history. I would assure you that the quality of data provided to us by every client is rigorously tested prior to being loaded to our records.

    All of our clients sign up to strict terms and conditions within their contract that require them to make sure that all the data they submit is accurate prior to providing it to us. Our regulator, the Information Commissioner, considers that this is having taken 'reasonable steps'.

    We also have over 400 generic checks in place to check the overall consistency of the data that we receive and a specialist department dedicated to running these necessary checks prior to loading the data to our records. This is because it is not possible for us to individually check each item of the data. This would involve going back to the company and asking them to check information that, as far as we are concerned, they have already confirmed to be accurate by sending that data to us.

    However, we do actively encourage people to check their own credit reports regularly and to tell us if they have any concerns about the information we hold. If any mistakes are brought to our attention, we contact the information provider (in your case Barclaycard) immediately to correct any mistakes as soon as possible.

    I am contacting the Barclaycard for you because I cannot amend the information without their consent. I'll let you know what they say as soon as they get back to me.

    *I'm also adding our standard dispute statement to this information, which will appear shortly:

    "The consumer has disputed the accuracy of this entry and we have therefore asked the provider to investigate it. Given that this data is disputed, please take care if making an assessment of any kind that may include this data."

    As a result, anyone viewing this information will be aware that it's being disputed.

    The Information Commissioner, who regulates the Data Protection Act 1998, views this as us having taken reasonable steps to ensure the accuracy of the data we receive, as per our obligation under this Act. All of the companies who supply us with information are obliged to provide data that is accurate and up to date, in accordance with the 4th Data Protection Principle.

    You may wish to add extra security by registering your details with CIFAS - the UK?s fraud prevention service

    Signing up to their ?Protective Registration Service? places a warning flag against your name and personal details to indicate that you are at risk of identity fraud.

    If a CIFAS registered lender receives an application in your name and runs a credit check with any of the UK credit agencies, they will be alerted to this warning and will undertake additional checks to verify that the application is genuine.

    Adding this warning is an important step towards protecting your identity and will impact any potential insurance claim that you make in the future. Failure to take further steps to protect your identity may result in your claim being rejected.

    If you would like us to consider adding this warning to your details, please complete and return the attached registration form. We can apply this warning to the addresses you have lived at over the last 6 years, as this is the address history that lenders take in to consideration when viewing your credit report.

    As an additional security measure it is also possible to add a password to your credit report. If you are interested in doing so, please complete and return the attached form.

    Adding a password to your Experian credit report will act as a warning to any lender who uses Experian for credit checking to take further steps to confirm your identity before proceeding with the application.

    Whilst this will not stop fraudulent applications being made it will make it much less likely that any applications made fraudulently will be successful.

    I have attached a form for you to complete and return to me detailing the password you would like to use should you take this approach.

    In the meantime I am keeping your complaint open as I am still looking into your concerns. I will contact you as soon as I hear back from Barclays.

    Kind regards

    Customer Relations Consultant
    Customer Support Centre

    You may wish to visit the FAQ section of our website where you can find instant advice and answers about information held on your credit report. This service is available to you 24 hours a day, 7 days a week.

    Credit Expert is provided by Experian Limited. Experian Limited is an Appointed Representative of Motorfile Limited. Motorfile Limited, Landmark House, Experian Way, NG2 Business Park, Nottingham, Nottinghamshire, NG80 1ZZ is authorised and regulated by the Financial Conduct Authority.

    *So they are now planning to add a note to my file saying that I dispute my date of birth on one record out of about 100 they have collected over the years ... Sheesh !
    Last edited by VictimOfImpersonation; 11-02-2014 at 1:08 PM.
  • VictimOfImpersonation
    Just a brief update to say that Experian have finally through gritted teeth agreed to refund my subscription fees incurred since Christmas so I could monitor the identity fraud problem they so helpfully got me into, but minus the latest monthly fee for some completely unfathomable reason??

    They have also offered a years free subscription as a "goodwill gesture" but again unfathomably they want me to cancel the existing subscription and start a new one in order to get it. Some bloody goodwill gesture, especially since the tone of their email was actually less a gritting of teeth than a "spitting of blood".

    Must have been my combining of my complaints here on MSE (those with the puerile and indifferent responses their James Jones, Head of Consumer Affairs gave me in this forum) and a complaint via their normal channels, and then not taking FO as the answer...
    Last edited by VictimOfImpersonation; 27-03-2014 at 9:48 PM.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

113Posts Today

1,503Users online

Martin's Twitter