Twice in the past month KrebsOnSecurity has heard from readers who had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim’s personal information and a different email address.
[...]
KrebsOnSecurity has long urged readers in the United States to place a security freeze on their files with the three major credit bureaus. With a freeze in place, potential creditors can’t pull your credit file, which makes it very unlikely anyone will be granted new lines of credit in your name. I’ve also advised readers to plant their flag at the three major bureaus, to prevent identity thieves from creating an account for you and assuming control over your identity.
[...]
Settlements? LMBO!! The liability is, and government agencies MUST ensure it happens, is 2FA as a "minimum" security measure for every company. Every time a major company has data breaches the same result takes place. Slap on the wrist, nothing changes and its business again as usual. Until the next breech. May I remind everyone of the Wells Fargo fiasco that still continues to the very day. How about BOFA? Same same. How about OPM, where they stole ALL my credentials from that federal agency OTHER than my fingerprints. No consequences whatsoever for any of it. Just some half baked credit monitoring.
What SHOULD happen is the federal government issuing brand spanking new SS numbers to every American, and along the way, force ALL the credit agencies specifically to pay for it. No taxpayer funding, to cover yet another corporate welfare program. Validate who is who before issuing those new numbers and cards. Make a "physical walk-in" mandatory to SS with proof of identity a must. No ID, no number, no card. Costly as it will be its the only real solution. The very minute we must unfreeze our credit for a purchase someone is right there waiting to take the opportunity to gain access. Consumers bare the costs of legal fees and bogus accounts to pay off, not the people who allowed it to happen in the first place.
Equifax settlement gave me free credit monitoring with Experian Identity Watch.
Sounds like a shell game to me.
correction: Experian Identity Works
Dear name:
You filed a claim in the Equifax Data Breach Settlement and chose to receive free, three-bureau (Equifax, Experian, and TransUnion) credit monitoring from Experian for four years. You were sent an email in February that provided additional information about the services provided by Experian as part of the Settlement and how to enroll by June 27, 2022.
I personally think the CEO's along with their Board of Directors of these credit bureaus should be held totally accountable, both criminally as well as financially for their actions or lack there thereof.
What it boils down to is they simply don't want to expend the resources to safe guard your data and then try to shift the burden onto the consumers. That simply adds insult to injury, offering what I'd postulate as worthless credit monitoring, to make further profit....Wow, can we say "double scammed".
The most frustrating part of this whole thing is that I received multiple ‘here’s your login information’ emails later that I attributed to the original attackers coming back and attempting to use the ‘forgot email/username’ flow, likely using my SSN and DOB, but it didn’t go to their email that they were expecting,” Turner said. “Given that Experian doesn’t support two-factor authentication of any kind — and that I don’t know how they were able to get access to my account in the first place — I’ve felt very helpless ever since.
Offers of credit monitoring as a solution and some petty fine by the government are BS, this company should be taken off-line until such time they have the security issues corrected AND verified. Figure out who the insiders may be giving this level of access and lack of security policies. Rid the industry of them.
I've had credit freezes on all three bureaus for years for this very reason. Five years ago someone opened a Capitol One account with my credentials, I never knew that had taken place. Out of nowhere, I was sued by Capitol One, they ultimately lost and paid serious compensation for their ignorance. ( Thanks Capitol One for paying for my new Harley Davidson ). All accounts were closed and secured against further lack of security on the part of C1. Make sure you get things in writing when / if something happens. Cover your backside and use a 'disposable" e-mail account for uncommon things. Just sharing some common steps we all can take to stay out of those rabbit holes.