More than 17,000 credit reports have been exposed as a result of attacks at financial institutions and other organizations over the past six years. Attackers grabbed credit reports using stolen login credentials to credit reporting bureaus.
There have been 86 incidents since 2006 that resulted in data belonging to the three major credit reference agencies, Experian, Equifax, and TransUnion, being exposed to snoops, according to an investigation by Bloomberg.
Attackers did not obtain people's credit histories by attacking the credit bureaus directly, but by targeting financial institutions and other organizations that are authorized to request credit reports.
In one instance, attackers breached a Texan bank in September 2011, and got their hands on the bank's account with credit reference agency Experian. The attackers downloaded credit reports on 847 people using that login, all of whom had never been a customer at the bank. The reports contained highly sensitive personal information, such as Social Security numbers, dates of birth, and other financial data for people all over the country.
"It illustrates a growing problem when it comes to data breaches and security –the chain is only as strong as its weakest link,” Sen. Richard Blumenthal (R-Conn) told Bloomberg.
Experian and TransUnion told Bloomberg the breaches were the result of malware infections on customer computers. “We continue to invest in the security systems we have in place to protect our clients and consumers,” Gerry Tschopp, a spokesman for Experian, told Bloomberg.
“Of course, the first line of defense lies with end users who are obligated to manage and protect their credentials, which in all these instances were compromised through malware that infected their hardware and other illegal means,” Tschopp said.
There were 80 breaches against Experian's database, resulting in 15,500 credit reports being downloaded. Equiax saw four attacks, which resulted in exposing more than 1,200 reports. TransUnion was targeted only twice, and exposed only 500 records to unauthorized snooping, according to the information stored on DataLossDB.org. All the incidents originated with login name and passwords being stolen.
Criminals have access to a wealth of financial data when they steal a credit report. The reports contain enough information that would allow the perpetrators to take out new credit cards, qualify for loans and mortgages, and even get a driver's license.
"The finely-groomed data on citizens accessible to thieves has the potential to compromise entire financial systems that use that data to validate identity, provide background data, and enable financial transactions," Mark Bower, a vice-president at Voltage Security, told SecurityWeek.