Experian Leaked Consumer Credit Scores – Expert Commentary

BACKGROUND:

Brian Krebs’ report that Experian API Exposed Credit Scores of Most Americans says: “Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address… Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.” 

Experts Comments

April 30, 2021
Garret F. Grajek
CEO
YouAttest

Brian Krebs once again did a great service to the IT security industry by revealing the flaw in the Experian API.  His mission to improve the security posture of the internet is valued. An important takeaway on this is just how vulnerable all data is with ubiquitous on-line scanning an penetration efforts. It is no longer an option but a must that our systems be re-evaluated to insure that not only data but users and user privileges are validated, with a zero-trust concept in mind - to insure

.....Read More

Brian Krebs once again did a great service to the IT security industry by revealing the flaw in the Experian API.  His mission to improve the security posture of the internet is valued. An important takeaway on this is just how vulnerable all data is with ubiquitous on-line scanning an penetration efforts. It is no longer an option but a must that our systems be re-evaluated to insure that not only data but users and user privileges are validated, with a zero-trust concept in mind - to insure that the only access that is allowed is what is intended.

  Read Less
April 30, 2021
Tom Garrubba
Senior Director and CISO
Shared Assessments

If this isn’t an argument for more and better DevSecOps, then nothing is. The root cause of this issue is poor testing of the application’s overall security controls. This could have been prevented if the application designers would have designed, as part of their application development process, secure code development and thorough testing at each phase of the development lifecycle. Unsecure API’s are one of the most common threat vectors used by bad actors to take advantage of poorly

.....Read More

If this isn’t an argument for more and better DevSecOps, then nothing is. The root cause of this issue is poor testing of the application’s overall security controls. This could have been prevented if the application designers would have designed, as part of their application development process, secure code development and thorough testing at each phase of the development lifecycle. Unsecure API’s are one of the most common threat vectors used by bad actors to take advantage of poorly secured applications to get to data. Such bad coding practices not only hurt everyone financially but can seriously erode the trust of the agencies that utilize the application and damage the reputation of the development firm.

 

The fact is that application security is becoming so much more important, as is careful talent acquisition - cyber criminals are now actually seeking to obtain legitimate cyber and tech-related positions in companies.

  Read Less
April 30, 2021
Saryu Nayyar
CEO
Gurucul

The credit score data exposed as well as risk factors can be very successfully used to socially engineer money from people’s accounts. This data is personal and highly sensitive - just the sort of data cyber criminals use to gain credibility and sound convincing in their tactics. And all this due to an insecure API? Shame on you Experian!

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.