Read on Twitter
The nonconsensually compiled dossiers of personal information that @experian_us assembled on the entire population of the USA may currently be exposed via dozens, perhaps hundreds, of sites, thanks to a grossly negligent security defect in Experian's API.
1/
1/
The breach was detected by @BillDemirkapi, a security researcher and @RIT sophomore, and reported on by @briankrebs, the excellent independent security reporter.
https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/
2/
https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/
2/
Experian, like Equifax, has unilaterally arrogated to itself the right to collect, store and disseminate our personal information, and, like Equifax, it faces little regulation, including obligations not to harm us or penalties when it does.
3/
3/
Experian's API allows criminals to retrieve your credit info by supplying your name and address, information that is typically easy to find, especially in the wake of multiple other breaches, such as @doordash's 5m-person 2019 breach and @drizzly's 2.5m-person 2020 breach.
4/
4/
Demirkapi explains that the API is implemented by many, many sites across the internet, and while Experian assured Krebs that this bug only affected a single site, it did not explain how it came to that conclusion.
5/
5/
Demirkapi discovered the defect while he was searching for a student loan vendor. There is a way to defend yourself against this attack: freeze your credit report. Credit freezes were made free (but opt-in only) in 2018, after the @Equifax breach.
https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/
6/
https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/
6/
Indeed, you may have already been thinking about the Equifax breach as you read this. In many ways, that breach was a wasted opportunity to seriously re-examine the indefensible practices of the credit-reporting industry, which had not been seriously scrutinized since 1976.
7/
7/
1976 was the year that Congress amended the Equal Credit Opportunity Act after hearing testimony about the abuses of the Retail Credit Company - a company that swiftly changed its name to "Equifax" to distance itself from the damning facts those hearings brought to light.
8/
8/
Retail Credit/Equifax invented credit reporting when it was founded in Atlanta in 1899. For more than half a century, it served as a free market Stasi to whom neighbors could quietly report each other for violating social norms.
9/
9/
Retail Credit's permanent, secret files recorded who was suspected of being gay, a "race-mixer" or a political dissident so that banks and insurance companies could discriminate against them.
https://www.jacobinmag.com/2017/09/equifax-retail-credit-company-discrimination-loans
10/
https://www.jacobinmag.com/2017/09/equifax-retail-credit-company-discrimination-loans
10/
This practice was only curbed when a coalition of white, straight conservative men discovered that they'd been misidentified as queers and commies and demanded action, whereupon Congress gave Americans limited rights to see and contest their secret files.
11/
11/
But these controls were never more than symbolic. Congress couldn't truly blunt the power of these private-sector spooks, because the US government depends on them to determine eligibility for Social Security, Medicare and Medicaid.
12/
12/
It's a public-private partnership from hell. Credit reporting bureaux collect data the government is not legally allowed to collect on its own, then sells that data to the government (Equifax makes $200m/year doing this).
https://web.archive.org/web/20171004200823/http://www.cetusnews.com/business/Equifax-Work-for-Government-Shows-Company%E2%80%99s-Broad-Reach.HkexS6JAq-.html
13/
https://web.archive.org/web/20171004200823/http://www.cetusnews.com/business/Equifax-Work-for-Government-Shows-Company%E2%80%99s-Broad-Reach.HkexS6JAq-.html
13/
These millions are recycled into lobbying efforts to ensure that the credit reporting bureaux can continue to spy on us, smear us, and recklessly endanger us by failing to safeguard the files they assemble on us.
14/
14/
This is bad for America, but it's great for the credit reporting industry. The Big Three bureaux (Equifax, Experian and @Transunion) have been on a decade-long buying spree, gobbling up hundreds of smaller companies.
15/
15/
These acquisitions lead directly to breaches: a Big Three company that buys a startup inherits its baling-wire-and-spit IT system, built in haste while the company pursued growth and acquisition.
16/
16/
These IT systems have to be tied into the giant acquiring company's own databases, adding to the dozens of other systems that have been cobbled together from previous acquisitions.
17/
17/
This became painfully apparent after the Equifax breach, so much so that even GOP Congressional Committee chairs called the breach "entirely preventable" and the result of "aggressive growth." But they refused to put any curbs on future acquisitions.
https://thehill.com/policy/technology/420582-house-panel-issues-scathing-report-on-entirely-preventable-equifax-data
18/
https://thehill.com/policy/technology/420582-house-panel-issues-scathing-report-on-entirely-preventable-equifax-data
18/
A lot has happened since Equifax, so you may have forgotten just how fucked up that situation was. Equifax's IT was so chaotic that they couldn't even encrypt the data they'd installed. Two months later, they "weren't sure" if it had been encrypted.
https://searchsecurity.techtarget.com/news/450429891/Following-Equifax-breach-CEO-doesnt-know-if-data-is-encrypted
19/
https://searchsecurity.techtarget.com/news/450429891/Following-Equifax-breach-CEO-doesnt-know-if-data-is-encrypted
19/
SIX MONTHS before the breach, outside experts began warning Equifax that they were exposing our data:
https://www.vice.com/en/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning
The ONLY action Equifax execs took? They sold off a shit-ton of stock:
https://www.bloomberg.com/news/articles/2018-03-14/sec-says-former-equifax-executive-engaged-in-insider-trading
20/
https://www.vice.com/en/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning
The ONLY action Equifax execs took? They sold off a shit-ton of stock:
https://www.bloomberg.com/news/articles/2018-03-14/sec-says-former-equifax-executive-engaged-in-insider-trading
20/
The Equifax breach exposed the arrogance and impunity of the Big Three. Afterward, Equifax offered "free" credit monitoring to the people they'd harmed. One catch: it was free for a year; after that, they'd automatically bill you, annually, forever.
https://web.archive.org/web/20170911025943/https://therealnews.com/t2/story:19960:Equifax-Data-Breach-is-a-10-out-of-10-Scandal
21/
https://web.archive.org/web/20170911025943/https://therealnews.com/t2/story:19960:Equifax-Data-Breach-is-a-10-out-of-10-Scandal
21/
And you'd pay in another way if you signed up for that "free" service: the fine print took away your right to sue Equifax, forever, no matter how they harmed you:
https://www.ibtimes.com/political-capital/equifax-lobbied-kill-rule-protecting-victims-data-breaches-2587929
22/
https://www.ibtimes.com/political-capital/equifax-lobbied-kill-rule-protecting-victims-data-breaches-2587929
22/
The credit bureaux bill themselves as arbiters of the public's ability to take responsibility for their choices, but after the breach, the CEO blamed the entire affair on a single "forgetful" flunky:
https://www.engadget.com/2017-10-03-former-equifax-ceo-blames-breach-on-one-it-employee.html
23/
https://www.engadget.com/2017-10-03-former-equifax-ceo-blames-breach-on-one-it-employee.html
23/
Then he stepped down and pocketed a $90m salary that his board voted in favor of:
https://fortune.com/2017/09/26/equifax-ceo-richard-smith-net-worth/
24/
https://fortune.com/2017/09/26/equifax-ceo-richard-smith-net-worth/
24/
Of course they did! His actions made the company so big that even after the breach, the IRS picked it to run its anti-fraud. Equifax got $7.5m from Uncle Sucker, and would have kept it except that its anti-fraud site was SERVING MALWARE:
https://www.cbsnews.com/news/equifax-irs-data-breach-malware-discovered/
25/
https://www.cbsnews.com/news/equifax-irs-data-breach-malware-discovered/
25/
Equifax eventually settled all the claims against it for $700m in 2019:
https://nypost.com/2019/07/19/equifax-agrees-to-pay-700m-after-massive-data-breach/
But it continued to average five errors per credit report:
https://www.washingtonpost.com/technology/2019/02/11/rep-alexandria-ocasio-cortez-takes-aim-equifax-credit-scoring/
26/
https://nypost.com/2019/07/19/equifax-agrees-to-pay-700m-after-massive-data-breach/
But it continued to average five errors per credit report:
https://www.washingtonpost.com/technology/2019/02/11/rep-alexandria-ocasio-cortez-takes-aim-equifax-credit-scoring/
26/
And it continued to store sensitive user-data in an unencrypted database whose login and password were "admin" and "admin":
https://finance.yahoo.com/news/equifax-password-username-admin-lawsuit-201118316.html
27/
https://finance.yahoo.com/news/equifax-password-username-admin-lawsuit-201118316.html
27/
Congress introduced multiple bills to force Equifax, Experian and Transunion to clean up their act.
None of those bills passed.
https://www.axios.com/after-equifaxs-mega-breach-nothing-changed-1536241622-baf8e0cf-d727-43db-b4d4-77c7599fff1e.html
28/
None of those bills passed.
https://www.axios.com/after-equifaxs-mega-breach-nothing-changed-1536241622-baf8e0cf-d727-43db-b4d4-77c7599fff1e.html
28/
The IRS shrugged its shoulders at America, telling the victims of Equifax's breach that their information had probably already leaked before Equifax doxed them, so no biggie:
https://thehill.com/policy/cybersecurity/355862-irs-significant-number-of-equifax-victims-already-had-info-accessed-by
29/
https://thehill.com/policy/cybersecurity/355862-irs-significant-number-of-equifax-victims-already-had-info-accessed-by
29/
Since then there have been other mass breaches, most recently the Facebook breach that exposed 500m people's sensitive data. That data can be merged with data from other breaches and even from "anonymized" data-sets that were deliberately released:
https://pluralistic.net/2021/04/21/re-identification/#pseudonymity
30/
https://pluralistic.net/2021/04/21/re-identification/#pseudonymity
30/
And while you can theoretically prevent your data from being stolen using the current Experian vulnerability by freezing your account, that's not as secure as it sounds.
31/
31/
Back in 2017, Brian Krebs reported that Experian's services were so insecure that anyone could retreive the PIN to unlock a frozen credit report by ticking a box on a website:
https://krebsonsecurity.com/2017/09/experian-site-can-give-anyone-your-credit-freeze-pin/
32/
https://krebsonsecurity.com/2017/09/experian-site-can-give-anyone-your-credit-freeze-pin/
32/
That was just table-stakes - it turned out that ALL the credit bureaux had an arrangement with AT&T's telecoms credit agency that was so insecure that ANYONE could unlock your locked credit report:
https://krebsonsecurity.com/2018/05/another-credit-freeze-target-nctue-com/
33/
https://krebsonsecurity.com/2018/05/another-credit-freeze-target-nctue-com/
33/
These companies came into existence to spy on Americans in order to facilitate mass-scale, illegal financial racist, ideological and sexual discrimination. They gather data of enormous import and sensitivity - data no one should be gathering, much less retaining and sharing.
34/
34/
They handle this data in cavalier ways, secure in the knowledge that their integration with the US government wins them powerful stakeholders who will ensure that the penalties for the harm they inflict add up to less than profits those harms generate for their shareholders.
35/
35/
This is why America needs a federal privacy law with a "private right of action" - the ability to sue companies that harm you, rather than hoping that federal prosecutors or regulators will decide to enforce the law.
https://pluralistic.net/2021/04/16/where-it-hurts/#sue-facebook
36/
https://pluralistic.net/2021/04/16/where-it-hurts/#sue-facebook
36/
Experian promises that this breach only affects one company that mis-implemented its API. We would be suckers to take it at its word. It didn't know about this breach until a college sophomore sent in a bug report - how would it know if there were others?
37/
37/
If you'd like an unrolled version of this thread to read or share, here's a link to it on http://pluralistic.net , my surveillance-free, ad-free, tracker-free blog: https://pluralistic.net/2021/04/30/dox-the-world/#experian
Image:
@kcgreenn (modified)
https://kcgreendotcom.com/
eof
Image:
@kcgreenn (modified)
https://kcgreendotcom.com/
eof
