Gerry Tschopp, a spokesman for Experian, said that the cyberattack is an isolated incident experienced by some of its U.S. clients rather than an attack on Experian’s North American systems.
“The issue is indicative of the larger problem of cybercrimes facing many companies and many industries, which is the growing sophistication of financial malware,” Tschopp said, according to American Banker.
Last year, hackers broke into computers at Abilene Telco Federal Credit Union, stealing the password for the bank’s account with Experian, which has data on more than 740 million consumers. The cyberthieves then downloaded credit reports and Social Security numbers on more than 800 people.
The incident drew attention to security issues at Experian and other credit reporting agencies, which have experienced a number of data breaches in the past several years. DataLossDB reports that more than 17,000 credit reports have been stolen from credit reporting agencies since 2006, American Banker reports.
Though the agencies maintain that the attacks are not direct, the firms have been criticized for not doing enough to protect consumer data.
“The crooks used basic credentials to get in,” Al Pascual, an industry analyst for security, risk and fraud at Javelin Strategy & Research, said, according to American Banker. “It would have been better to increase and strengthen the type of authentication required.”
Experian maintains that its security systems require more than just basic credentials, and while Tschopp did not give details regarding software or system structure, he said that the company uses a risk-based authentication system in addition to a tech network that detects system access anomalies by clients.
“We require and expect our clients to routinely and securely manage their authentication credentials to the highest standards and monitor the security of their systems,” Tschopp said, American Banker reports. “In the instances where credentials might be compromised, our security systems monitor 24/7 for any anomalies that could suggest suspicious activity. These are then flagged immediately to the client, and, as appropriate, to consumers and law enforcement for resolution.”
Pascual said that enhanced protections, including device fingerprinting, which is used to determine if credentials are being used to fraudulently access a network, against unauthorized access could strengthen data protection.
“If they are using device fingerprinting to make sure that the machines that are accessing the consumer records are bank machines, that will strengthen the protocol,” Pascual said, according to American Banker.