Letter to FTC and CFPB Re Experian Credit Freeze Security Issue

50 state and national consumer, civil rights, military family, faith and other groups sent a letter to the heads of the FTC and CFPB asking them to investigate an issue at the credit bureau Experian (which appears now to be fixed) which apparently let anyone obtain the secret PIN numbers for consumers to temporarily lift their credit freezes by answering "none of the above" to security questions. We called for an investigation and robust penalties if warranted and urged consumers to change their PINs.

Downloads

50 state and national consumer, civil rights, military family, faith and other groups sent a letter to the heads of the FTC and CFPB asking them to investigate an issue at the credit bureau Experian (which appears now to be fixed) which apparently let anyone obtain the secret PIN numbers for consumers to temporarily lift their credit freezes by answering “none of the above” to security questions. We called for an investigation and robust penalties if warranted and urged consumers to change their PINs.

Excerpt from the letter (which is linked on this page:

“Experian’s website allows consumers to retrieve their credit freeze PIN, which is needed to temporarily remove a freeze when applying for credit, if they lost it. However, PINs could be retrieved by simply answering “none of the above” to all security questions, providing an opportunity for identity thieves to retrieve PINs, remove freezes, and apply for new credit accounts. This puts all consumers with an Experian credit freeze at risk, including deployed servicemembers who might not discover any fraud until after they return. 

 The security flaw appears to be fixed, but Experian still has not notified consumers of the risk or told them how to protect themselves. Consumer advocates encourage people with Experian credit freezes to check their Experian credit reports for fraudulent accounts and suspicious inquiries. Consumers should also change their credit freeze PINs.[1]

At the very least, Experian should notify all who may be at risk because their PINs were retrieved before the flaw was fixed.

It is essential that Experian takes this security issue seriously because credit freezes remain the best line of defense consumers have against new account identity theft. Consumers should be able to control access to their own credit reports securely, and the credit bureaus must ensure such security.

We urge the FTC and CFPB to investigate the security flaw and levy robust financial penalties where appropriate based on the results of the investigation.” 

 

[1]U.S. PIRG, Update to How You Can Change Your Experian Credit Freeze PIN, 16 October 2018.

Topics
Find Out More