Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    VictimOfImpersonation
    Experian's Fundamental Breach of Data Protection Act 1998
    • #1
    • 29th Dec 13, 2:57 PM
    Experian's Fundamental Breach of Data Protection Act 1998 29th Dec 13 at 2:57 PM
    In another thread, which discusses an MSE news story about worrying revelations on security of personal data at Compare The Market (an organisation which itself will have close links to CRAs by virtue of it collecting personal data and constantly causing ID and credit checks on our files), I have got into a surprising ding dong with Experian Company Representative. According to the signature, he is Head Of Consumer Affairs at Experian (UK I assume and not worldwide - they are a giant worldwide CRA).

    He does post at weekends when it suits him, but he has gone strangely quiet since I told him Experian were breaking the law.

    I have discovered that Experian tolerate false data on our records to the extent that if you have a good credit history, it seems a fraudster can use an incorrect date of birth to secure credit in your name with the barest name and address details, and Experian will accept that data and simply mark your file with a negative mark because a new credit agreement is registered in your name.

    They will not alert you to false date of birth data and it seems they will not alert the bank who gave them the data either because the bank will just carry on like normal same as the CRA until someone says "Hey, what are you playing at?"

    Furthermore, when I point out that there is an obvious date of birth mismatch, Experian Company Representative says date of birth is not the only identifying data they use . What planet is he on ? Those of us that understand relational databases have to wonder whether he has any skill in the realm of data science at all ?

    My Experian CRA record has tens of entries recorded over decades all with the correct date of birth, yet now it has one two month old one with a totally incorrect date of birth - the fraudulent credit agreement.

    I am an established case with very consistent personal data. If it can happen to my data record at Experian, it can happen to thousands.

    And the official Experian spokesperson on MSE (yes they have one surprise surprise) says date of birth is not the only identifying factor . He invites me to send an email to them to show them what's wrong with my records. I have declined because what I have discovered is so glaringly incorrect that it should never have made it past an input filter into the database.

    I have warned him that until they conduct a data clean up on their whole database and discover these dates of birth mismatches (which is an extremely easy task) Experian is breaking the law. Whether he is heeding my advice or not we don't know, because he has gone quiet for a day.

    I think as a responsible officer of Experian refusing to deal with the fundamental nature of the breach and treating it as if it is just a possible glitch on my file only which I need to tell him about, he may himself also be personally breaking the law.

    Sad to say but unless they get their finger out, Experian and their representative appear to have acted recklessly and continue to do so in their obtention and holding of personal data in our names and not heeding warnings to go look for mismatches and manage them correctly.

    I just cannot for the life of me understand how they can so nonchalantly obtain and hold any data against anyone's name when the date of birth they have obtained is wrong. It is not their business to simply be a repository of all transacted data that might be in our names, safeguarding it for ever in case there has been a typo by the people that gave it to them, and the rest of it may be ok. It is their business to reject incorrect data, especially when a fundamental input filter like date of birth shows the data cannot stand.

    All such fundamental mismatches should be quarantined and then verified/rectified with the source trying to input it or it must be destroyed. Whether that quarantine should be even be at the CRA or at the source is another very big question.

    Date of Birth is so fundamental to personal data processing.

    In my case this false data has stood for two months in their database.

    However many more cases are there like this ?

    I have told Experian I can tell them exactly if they let me query their database.

    If I can bloody well tell them how to do it with a standard database query that a 12 year old could do, then why are they doing nothing to clean up their act?

    I have another example of where Experian's personal data protection may be flawed, and that relates to gaining access to full online credit reports. I know that CRAs themselves are constantly under attack to release our data to fraudsters who would use it as an aide memoire to launch attacks. I have discovered that with surprisingly little security data being verified, in certain somewhat surprising circumstances Experian can be persuaded by phone to delete previous accounts or previous failed registrations where documentary evidence was demanded but never provided. If it was demanded previously then how is it suddenly not necessary on the strength of a phone call a year or two later? The inconsistency is worrying.

    I also have a fear that they might then allow a brand new squeaky clean registration with only 3 out of four registration security questions correct. The security questions are tough enough (if you dont already have a copy of a previous CRA report to crib from) but surely they must ALL be answered correctly to get access to a spanking new report?
    In my case a version of my credit report is already in the hands of fraudsters courtesy of another CRA with a security hole at the time, CallCredit now known more by its trading name Noddle.


    Running CRAs like this is not the way to protect us - this way we are all made more vulnerable.

    What on earth is happening? We are also very clearly being badly let down big time by the Information Commissioners Office. Do we have an Official ICO Representative on MSE?
    Last edited by VictimOfImpersonation; 29-12-2013 at 3:09 PM.
Page 2
  • VictimOfImpersonation
    No-one else really cares - but the narcissist in you just doesn't understand that.

    Your personal data - your problem.

    You have noted an anomaly, you are refusing to use the processes available to address this - so... suck it up.
    Originally posted by Tiddlywinks
    I don't think you quite understand, Tiddlywinks. Put yourself above the stupid error on my file. Look down on the state of the whole database.

    Do you really think this thread will be left for all to trawl and stumble upon via Google without being resolved?

    And BTW, do stop making yourself look silly with your evergreen eternally daffodilic use of English.

    For patanne
    Last edited by VictimOfImpersonation; 29-12-2013 at 9:08 PM. Reason: For patanne
    • Tiddlywinks
    • By Tiddlywinks 29th Dec 13, 9:42 PM
    • 5,351 Posts
    • 18,507 Thanks
    Tiddlywinks
    Do you really think this thread will be left for all to trawl and stumble upon via Google without being resolved?
    Originally posted by VictimOfImpersonation
    Eh, yes I do.

    Why? Because you are not as important in the grand scheme of things as you think you are.... I refer again to this.

    Just use the processes available - fill in the form indicated by the company rep and then go to the ICO if unresolved.
    Last edited by Tiddlywinks; 29-12-2013 at 9:45 PM.
  • VictimOfImpersonation
    I mentioned the fantastic quality of a large chunk of 60s and 70s state schooling earlier.

    I blame the schooling that beset the 80s and 90s. That was where it became the norm that to be a "swot" was to be hounded and ridiculed for being different, and an ability to blend in with the lowest common denominator and to follow the lead of celebs, monied sorts and wannabes was key to survival.

    Such a shame that made its inevitable way into the thinking of a whole generation.

    Loadsamoney!!
    Last edited by VictimOfImpersonation; 29-12-2013 at 10:15 PM.
  • goonarmy
    I mentioned the fantastic quality of a large chunk of 60s and 70s state schooling earlier.

    I blame the schooling that beset the 80s and 90s. That was where it became the norm that to be a "swot" was to be hounded and ridiculed for being different, and an ability to blend in with the lowest common denominator and to follow the lead of celebs, monied sorts and wannabes was key to survival.

    Such a shame that made its inevitable way into the thinking of a whole generation.

    Loadsamoney!!
    Originally posted by VictimOfImpersonation
    What are you on....about?
  • VictimOfImpersonation
    Well glad that I haven't wound you up too far then, goonarmy!

    You sound a practical sort of bloke. I am too.

    Do you think it is right that someone can guess you are good for a new credit card account from where you live, dip your postbox for a partial name and an address, go online to one of the banks which by chance has done business with you for years, enter a completely fictitious application apart from the partial name and address, and then the bank checks it or registers that data including the wrong date of birth with a CRA and issues a new card. The CRA has loads of data on you already and does not query the wrong date of birth but just adds the new account to the list of all your credit accounts and just marks down your credit score a fraction because you just opened a new account. Then the fraudster intercepts the card and PIN, ges online again and registers for online banking with a completely different email address and mobile phone to the ones you have registered with the bank, and still no-one notices anything wrong until the card is maxed out? Then what? The bank adds a 12 over credit limit charge and sends you a letter to tell you just that. You have never been overlimit in your life. But they send out that letter and just relax. Nothing else.

    Meantime the CRAs now have two months records on the account, they can see now it is overlimit, but both entries show green and ok.


    As a practical bloke, do you think that it is likely that I am the only one affected by such an experience?

    And as a practical bloke, do you not think there must be a horrendous failure in the system for it to happen? Or are you a diagnostics machine every time sort who just whacks in a replacement unit for what the machine tells you and drives away again without a bother about why?
    Last edited by VictimOfImpersonation; 30-12-2013 at 12:33 AM.
  • goonarmy
    Well glad that I haven't wound you up too far then, goonarmy!

    You sound a practical sort of bloke. I am too.

    Do you think it is right that someone can guess you are good for a new credit card account from where you live, dip your postbox for a partial name and an address, go online to one of the banks which by chance has done business with you for years, enter a completely fictitious application apart from the partial name and address, and then the bank checks it or registers that data including the wrong date of birth with a CRA and issues a new card. The CRA has loads of data on you already and does not query the wrong date of birth but just adds the new account to the list of all your credit accounts and just marks down your credit score a fraction because you just opened a new account. Then the fraudster intercepts the card and PIN, ges online again and registers for online banking with a completely different email address and mobile phone to the ones you have registered with the bank, and still no-one notices anything wrong until the card is maxed out? Then what? The bank adds a 12 over credit limit charge and sends you a letter to tell you just that. You have never been overlimit in your life. But they send out that letter and just relax. Nothing else.

    Meantime the CRAs now have two months records on the account, they can see now it is overlimit, but both entries show green and ok.


    As a practical bloke, do you think that it is likely that I am the only one affected by such an experience?

    And as a practical bloke, do you not think there must be a horrendous failure in the system for it to happen? Or are you a diagnostics machine every time sort who just whacks in a replacement unit for what the machine tells you and drives away again without a bother about why?
    Originally posted by VictimOfImpersonation
    You havent wound me up in the slightest, but i got bored reading your third sentance. Your typings worse than mine and I dont even try! Anyway, no ones looking on the net to sort your problems.

    And some advice: dont assume the sex of posters on a forum.
  • VictimOfImpersonation
    You havent wound me up in the slightest, but i got bored reading your third sentance.
    Originally posted by goonarmy
    Oh - limited attention span?
    Your typings worse than mine and I dont even try!
    I think you mean my sentence was too long and your patience was by then thin. OK, if you aren't interested you can take a horse to water, but not make it drink and all that!
    Anyway, no ones looking on the net to sort your problems.
    Oh dear back to put-downs again ... sigh

    And some advice: dont assume the sex of posters on a forum.
    Oh well, bloke, bloke-ette - Sorr-eee! I must admit I don't know many women who use WTF. Can't say I didn't try to adjust my style a bit though, to see if you might engage.


    So, as I was saying, I don't think the 80s and 90s were a good period for developing the kind of enquiring minds that question bad practice - they are more likely to turn on or question anyone amongst them who is a bit different and dares to draw attention to himself above the parapet and try to knock their block off.

    However, some of us baby boomers do question bad practice, sometimes with terrier-like tenacity, especially those of us who didn't use our great state educations just to get filthy rich and pull up the drawbridges behind us.

    So here I am today, and tomorrow and the day after tomorrow, until the CRAs get it fixed.
    Last edited by VictimOfImpersonation; 30-12-2013 at 1:03 AM.
  • dannny
    what would you suggest
    Originally posted by VictimOfImpersonation
    I suggest you contact the company, give them full details and ask them to resolve the matter. If they fail to do so make a complaint to the ICO.

    ICO will humm and ahhh for a few months, do !!!!!! all, and life continues.



    As a side note, life was a hell of a lot easier when computers consisted of nice large mainframes and you required a degree in mathematics to programme them.

    The proliferation of data gathering by governments and organisations just for the sake of it is a worrying trend.

    In one recent development ovivo mobile now require an actual copy of one of the following

    • Deed Poll
    • Marriage Certificate
    • Civil Partnership Registration Document
    • Statutory Declaration
    • Divorce Papers
    • Dissolved Civil Partnership Papers
    • Copy of Entry in Register of Corrections (Scotland only)
    • Amended Birth or Adoption Certificate
    if you want to change your name on your account. Theres absolutely no need for it.
    Last edited by dannny; 30-12-2013 at 11:41 AM.
    • Fruit and Nut Case
    • By Fruit and Nut Case 30th Dec 13, 11:45 AM
    • 3,982 Posts
    • 2,973 Thanks
    Fruit and Nut Case
    <snip> Theres absolutely no need for it.
    Originally posted by dannny
    Indeed. Even the mighty HMRC were happy with a short letter when I changed my name.
    Are you for real? - Glass Half Empty??
  • VictimOfImpersonation
    I suggest you contact the company, give them full details and ask them to resolve the matter.
    Originally posted by dannny
    I thought I already did?

    Full details are as follows:

    Experian recklessly accepts incorrect new date of birth data from bank partners on to customer CRA records, doesn't query it, and thus far hasn't cleaned up its database which I am quite logically imagining is full of such instances.

    Consequently it means their entire database is open to attacks by serious organised crime. I will tell you how:

    The fraudsters successfully open a new credit card account online in anyone's name at that person's known vulnerable address (there are millions of vulnerable postboxes in blocks of flats particularly) but using any old date of birth they fancy. That's the first vulnerability because the bank misses the error and the CRA does not alert the bank of the error either.

    The card arrives and they intercept it because the named person is not expecting a new card or PIN.

    The fraudsters then go online again and visit a CRA site to obtain an account verifying the first line of security using the card. That is the second vulnerability and we all know it is the third that gets you!

    Then if they have sufficient other data e.g. other intercepted post like a mortgage statement and bank statement they may be able to answer maybe 3 out of 4 further security questions correctly and get access to a full credit report in your name. That is a just a question of brute force attack armed with personal data from several sources (as long as 5 years ago bank workers were routinely warned that they might be accosted on their way home or in the pub by criminals willing to offer 1,000 each for limited bits of customer stationery or passwords / dob / mothers maiden name etc.). A proportion of brute force attacks to CRA websites will therefore succeed. Armed with a full CRA report, crimianls are laughing. They can then do enormous damage in a short space of time (thousands of pounds in the space of a week is not uncommon for each mark).

    This is why I have raised other issues besides the date of birth fiasco. How is it that Experian demanded documentary evidence of ID on a previous registration attempt but after a given period on the strength of an out of the blue phone call (I can't seem to open an account online - it said to call you) were willing to wipe the previous incomplete registration (where no documentary evidence was ever provided)? How then was I permitted to register again afresh with no documentary evidence ? I think Experian were using data that I had previously input in a failed attempt to register in order to identify me this time for certain. They asked me the memorable word I had input last time. Then they deleted all record of previous attempts and invited me to try again. I did so, and this time I registered with no additional documentary evidence. That is worrying and I have a feeling it may because there was a CIFAS marker last time I tried, but it has dropped off, but I am guessing.

    For serious organised crime, it is just a numbers game. Don't imagine the crime bosses delete their failed attempts from their own databases. They retain the personal data they are able to secure on their targets. They may give up on one tact, but then re-use the data for another type of attack a month later or even many months later.

    No-one seems to want to be aware of this. It is perhaps too much scare-mongering for the public's appetite.

    I am aware of it because it has happened to me and happened to others who live near me.

    My full credit report was obtained online by criminals through CallCredit. There was an immediate large scale attack when they obtained it but I managed to closedown the thing sufficiently that they quickly lost interest (for a period). The criminals obtained many thousands of pounds inside a week of getting my credit report then gave up trying for more for a bit.

    A month later they used my address for two account takeovers, maybe more. At least I found two credit card statements before the fraudsters intercepted them and I reported them. That was the first that those other victims knew that their accounts had been taken over and by my quick action in contacting their banks their ID was "shored up" as Experian Company Representative likes to put it.

    My name and address were then on CIFAS for a year and that probably diverted fraudsters attention to easier pickings for a time, but they didn't forget.

    The time came for them to try again. The CIFAS marker had dropped off, certain banks clearly don't check dates of birth or bank account details submitted on credit card apps, and CRAs don't question the inconsistent garbage before they add it to the file.


    Can you not see that all this, coupled with general knowledge hereabouts that ID fraud became so rife that IDTheft insurance came and went as its own separate scandal, is a clear pointer that Experian's offer to treat my dob mismatch in splendid isolation is a sick joke?

    If they fail to do so make a complaint to the ICO.

    ICO will humm and ahhh for a few months, do !!!!!! all, and life continues.
    If Experian do fail to cause my file to be fixed without further prompting by me, I shall certainly make it known to ICO what I think and to FCA too.

    Meantime, as I said, we are testing them here, and if when I check the database later on it isn't fixed I shall again say so here.

    There is absolutely no reason why an incorrect date of birth should be accepted into their main database whether comedians like Buzby give banks the wrong dob or not. For dob not to be used as a "hard identifier" is to make the whole database unreliable.

    The jury is out on whether CRAs are the right people to investigate corrupt data presented to them rather than simply to reject it back to the source, but I say NO they clearly are not the right people as we can see they haven't even the gumption to clean their own data retrospectively. There seems to be no commercial gain for them to do so.

    Perhaps we should show them there will be a bigger commercial loss if they do not.
    • patanne
    • By patanne 30th Dec 13, 1:25 PM
    • 1,270 Posts
    • 2,553 Thanks
    patanne
    Actually it is not in their financial interests to get this information right. If they could be depended on to get it right then who would pay them to get a credit report? Far fewer people than do currently I'm sure.
  • goonarmy
    Oh - limited attention span?yep, that tends to happen when posts are too long, rambling and not succinctI think you mean my sentence was too long and your patience was by then thin. partly, and the fact that questions are generally followed by a question markOK, if you aren't interested you can take a horse to water, but not make it drink and all that!Oh dear back to put-downs again ... sigh
    a statement of fact actually, do you know what put down means?
    Oh well, bloke, bloke-ette - Sorr-eee! appology accepted, lesson learnt I think.I must admit I don't know many women who use WTF. get out more Can't say I didn't try to adjust my style a bit though, to see if you might engage.yeah.......no that aint gonna happen


    So, as I was saying, I don't think the 80s and 90s were a good period for developing the kind of enquiring minds that question bad practice - they are more likely to turn on or question anyone amongst them who is a bit different and dares to draw attention to himself above the parapet and try to knock their block off.
    so now we are assuming the age of posters?? Lesson not learnt then
    However, some of us baby boomers do question bad practice, sometimes with terrier-like tenacity, especially those of us who didn't use our great state educations just to get filthy rich and pull up the drawbridges behind us.

    So here I am today, and tomorrow and the day after tomorrow, until the CRAs get it fixed.erm, ok. Good luck with that... pretty sure thats not the way to sort this but keep us informed
    Originally posted by VictimOfImpersonation
    Answers in red, again your reply to Danny that rambles on along far too long might not get the responses you hope for. Try to be more concise and maybe listen to advice given, this forum has some thats quite good, on occasion.
  • VictimOfImpersonation
    Answers in red, again your reply to Danny that rambles on along far too long might not get the responses you hope for. Try to be more concise and maybe listen to advice given, this forum has some thats quite good, on occasion.
    Originally posted by goonarmy
    I am not sure I started the thread to get advice, but I seem to be getting some anyway.

    I think patanne has got the swing of it, and so might a good number of the almost exactly 95% of viewers of this thread who haven't felt the need to add more in a post yet


    I mean look at the situation for goodness sakes dear people - a CRA that allows obviously false entries to stand on your records and allows whoever caused them to be put on file to use them again to try to access details of ALL your credit agreements (and by the law of numbers, they will succeed if not on yours, then maybe on mine or the next victims' ...)
    Last edited by VictimOfImpersonation; 30-12-2013 at 2:50 PM. Reason: Law of Numbers
    • Tiddlywinks
    • By Tiddlywinks 30th Dec 13, 3:16 PM
    • 5,351 Posts
    • 18,507 Thanks
    Tiddlywinks
    I think patanne has got the swing of it, and so might a good number of the almost exactly 95% of viewers of this thread who haven't felt the need to add more in a post yet
    Originally posted by VictimOfImpersonation
    How sweet - you think those 95% of readers (strange that you felt compelled to work the figures out and then quote them here) that haven't posted actually agree with you? More likely that they can't be bothered to wade through the rantings.

    I mean look at the situation for goodness sakes dear people - a CRA that allows obviously false entries to stand on your records and allows whoever caused them to be put on file to use them again to try to access details of ALL your credit agreements (and by the law of numbers, they will succeed if not on yours, then maybe on mine or the next victims' ...)
    Originally posted by VictimOfImpersonation
    The CRAs report the information provided by the financial institutions... they purely report, they are not decision makers.

    It is the financial institution that facilitates the crime by providing access to your accounts.

    You cannot simply match and then amend a data set of personal data the way you would suggest... there are many occasions where someone of the same name, will live at the same address and have a slightly different DOB. In some cultures, the order of the names will be switched depending on circumstances. Cousins born within weeks or months of each other may share the same name.

    In order to consider whether a file contains incorrect data, it is quite reasonable to expect that the individual reports this to the CRA as soon as it comes to his attention. The CRA can then review its records accordingly.

    Why is that so difficult for you to understand?
  • VictimOfImpersonation
    Glad to see you engaged and started thinking about it, Tiddlewinks.

    Anyway, the debate is running over on another thread under the Compare The Market security discussion at the moment as I think James perhaps didn't want it on the Credit File Forum with Experian in the heading.

    1 Negative factors
    • You have recently opened 1 or more new credit accounts.
    See more

    0 changes since last report
    Last edited by VictimOfImpersonation; 30-12-2013 at 4:02 PM. Reason: No cleanup yet at Experian
  • goonarmy
    I am not sure I started the thread to get advice, but I seem to be getting some anyway.

    I think patanne has got the swing of it, and so might a good number of the almost exactly 95% of viewers of this thread who haven't felt the need to add more in a post yet


    I mean look at the situation for goodness sakes dear people - a CRA that allows obviously false entries to stand on your records and allows whoever caused them to be put on file to use them again to try to access details of ALL your credit agreements (and by the law of numbers, they will succeed if not on yours, then maybe on mine or the next victims' ...)
    Originally posted by VictimOfImpersonation
    So you started the thread for attention? The attention your getting probbably isnt the attention you require, the advice given, wanted or otherwise, tells you how to achieve this.
    • Tiddlywinks
    • By Tiddlywinks 30th Dec 13, 10:16 PM
    • 5,351 Posts
    • 18,507 Thanks
    Tiddlywinks
    Glad to see you engaged and started thinking about it, Tiddlewinks.
    Originally posted by VictimOfImpersonation
    Don't be so patronising... you don't know me or what I do as a day job... I don't need you to start me thinking about these issues.

    My actual thoughts about your input are probably best left unsaid.

    Suffice to say I feel it is you that shows a distinct lack of coherent thought in this matter.
  • VictimOfImpersonation
    1 Negative factors
    • You have recently opened 1 or more new credit accounts. No I didn't. A fraudster did. With an incorrect date of birth. My bank of umpteen years and umpteen products issued it and told my CRA of umpteen years that I am 8 years younger than they thought I was. They swallowed it and for good measure gave me this negative factor for recently opening a new credit agreement.
    0 changes since last report (despite issuing the clean-up invitation to Experian). We live in hope.

    See more ?
    Tomorrow then.
  • goonarmy
    1 Negative factors
    • You have recently opened 1 or more new credit accounts. No I didn't. A fraudster did. With an incorrect date of birth. My bank of umpteen years and umpteen products issued it and told my CRA of umpteen years that I am 8 years younger than they thought I was. They swallowed it and for good measure gave me this negative factor for recently opening a new credit agreement.
    0 changes since last report (despite issuing the clean-up invitation to Experian). We live in hope.

    See more ?
    Tomorrow then.
    Originally posted by VictimOfImpersonation
    Why not? Its worked really well so far.
  • Dovah_diva
    Lord, I suspect the OP is retired with a long and empty road ahead of him. If not, maybe he'll go back to work soon and give his rantings a rest.

    More likely that they can't be bothered to wade through the rantings.
    Originally posted by Tiddlywinks
    You got that right. The OP is a man on a mission, there is little point in trying to engage with him. He will patronise and ignore good advice till the sky turns green. Makes for amusing reading though.
    Last edited by Dovah_diva; 31-12-2013 at 9:15 AM.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

533Posts Today

5,014Users online

Martin's Twitter