Experian, one of the Big-Three consumer credit bureaus in the United States, recently disclosed closing a vulnerability on a partner website that caused a data leak. The vulnerability in question allowed anyone to look up the credit score of tens of millions of Americans by simply supplying the victim’s name and mailing address.
According to KrebsonSecurity.com, independent security researcher Bill Demirkapi discovered the data leak. While consulting a student loan vendor, he discovered it used an Experian Application Programming Interface (API) that did not require any form of authentication. Moreover, Demirkapi suspects that hundreds of other lending companies might use the Experian API.
If Demirkapi’s allegations prove true, Experian’s announcement of closing a single vulnerability might not solve the problem. It remains unclear how the vulnerability may be or how many third-parties may have accessed it. Experian denies the possibility of a systematic vulnerability.
This is not the first major cybersecurity issue caused by the consumer credit bureaus. Fellow Big-Three bureau Equifax is responsible for one of the worst breaches in cybersecurity history.
We consulted cybersecurity experts for their perspectives on the Experian Data Leak.
The Experian Data Leak
Nathanael Coffing is Co-Founder and CSO of Cloudentity.
“This API security flaw leaked tens of millions of Americans’ credit scores and left Experian customers’ personal information vulnerable to fraud. Similar to the Walgreens data breach that occurred last year, this is a prime example of the importance of using identity and authorization as the baseline for security best practices at the API level.
Without secure identity and authorization controls placed on the API, a bad actor can easily obtain access to a user’s data simply by programmatically using names and addresses. While this vulnerability was promptly resolved after it was identified, it is likely that other companies using similar APIs have also leaked users’ credit scores. To prevent data leaks of this nature, companies must implement context-based, granular authorization in their APIs coupled with a Zero Trust approach to identity and access management. With these proactive security guardrails, companies can ensure users are properly authorized prior to accessing any sensitive information.”
Michael Isbitski is a Technical Evangelist at Salt Security.
“The leaky API was stood up by Experian so that lending partners could verify the creditworthiness of an individual and potential credit applicant. The data returned by the API included the person’s FICO score and impacting risk factors on creditworthiness such as high credit utilization or too many open revolving accounts.
To authenticate the individual, the public API required only first name, last name, street address, zip code, and birthdate. Unfortunately, this last authentication factor was not validated properly, and the check could be bypassed by using all zeros for the birth date.
Even if an individual’s birthday was being properly validated, the authentication factors that were being used were weak. Much of the authentication material that Experian was using is public or semi-public as a result of prior security breaches at other service providers.
It’s not clear if this weakness was exploited by other attackers beyond the security researcher’s probing and disclosure. Experian confirmed only that they were able to uncover the security researcher’s activity in their backend logs after the problem was disclosed to them. An API that uses weak authentication like this could potentially be enumerated and scraped to obtain large amounts of the private, credit-related data.
From the perspective of the consumer, a credit freeze is always a good idea to protect themselves from identity and credit fraud. If an individual had a credit freeze in place, Experian’s API returned no data for that person.”
Thanks to these experts for their time and expertise on the Experian Data Leak. For more, check out the Identity Management Buyer’s Guide or the Solutions Suggestion Engine.
Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Latest posts by Ben Canner (see all)