Brian Krebs' investigation raises larger questions. If Experian, one of the three main credit bureaus, is susceptible to accidentally selling data to identity thieves, what about all of the other data brokers out there? Brooke gets in touch with Avivah Litan, a fraud and security research analyst at Gartner, to put the Experian data breach into context, and talk about the larger implications of data security for consumers.
Beacon - Late November
BROOKE GLADSTONE: Avivah Litan is a fraud and security analyst at the research firm Gartner. I got in touch with her to ask just how big of a deal this Experian breach is.
AVIVAH LITAN: So this is a very big deal because they have data on all our credit history, all our financial transaction, all our addresses, our utility bills, our telephone bills, so basically our whole financial history.
BROOKE GLADSTONE: What does the breach show us about the security practices of these large data brokers?
AVIVAH LITAN: We do need a paradigm shift in the way we’re securing consumer data, like a radical change. Right now it’s just patchwork and making do with old systems. And, frankly, even encryption doesn't work anymore. There was a revelation a few weeks ago that the NSA had asked RSA, a security firm, to basically put a backdoor in one of their encryption algorithms, so that the NSA could listen to encrypted communications. So even encrypting information doesn't work anymore against governments, perhaps against criminals, as well.
BROOKE GLADSTONE: But most of us have received, at some point or other, a call from a credit card company saying, did you make this purchase, at least making an effort to follow up on the possibility of breaches and identity theft.
AVIVAH LITAN: Yeah, you raise an excellent point. With credit cards and payments, we needed to bring merchant banks and consumer banks together, and that happened in the form of MasterCard and Visa. They connected all these parties. The credit card industry actually has instituted a lot of good fraud protection controls and also data security controls. The banks don't want to eat the fraud on your credit card. When it comes to identity data, like the data housed by the credit bureaus, there’s no similar private sector mechanism to create these standards and incentives to stop the theft.
BROOKE GLADSTONE: Avivah, let me see if I've got this right. What you're saying is that credit card companies had to eat the consequences of wrongfully-made purchases from people’s stolen credit cards, and so they implemented effective security measures. These kind of measures don't exist when individuals’ identities are stolen. Is it because there's insufficient motivation? If the burden fell on the bank, do you think we’d have better security?
AVIVAH LITAN: A hundred percent. [LAUGHS]
And, and that’s why we have to wake up our government and Congress, who enforce legislation, to make the banks responsible, so that if the mortgage company issues a loan to someone who stole your identity, then that bank should be responsible for issuing that loan. They always try to get the money back from the consumer, so the onus is on the victim to prove themselves innocent. Identity theft is a small portion of load loss to these banks but if the person’s broke, then they eat the loss. So they have reserves for it on their balance sheet, so there’s really no incentive for them to change their ways of doing business.
BROOKE GLADSTONE: So how do we prove we’re innocent?
AVIVAH LITAN: That just takes years of writing to the different credit bureaus, writing to the different banks, trying to clear up your record. There is a whole industry now that's there to help people recover from identity theft. In fact, Experian offers the service. [LAUGHS]
And they sell you monitoring services and remediation services.
BROOKE GLADSTONE: Wow!
AVIVAH LITAN: You know, well this is a case where consumers really does have to step up to the plate. They’ve been talking about for years. They’ve been talking about a federal breach disclosure law, they’ve been talking about identity theft protection, and just nothing’s happened.
BROOKE GLADSTONE: Avivah, thank you very much.
AVIVAH LITAN: Thank you.
BROOKE GLADSTONE: For nothing! [LAUGHS]
AVIVAH LITAN: [LAUGHS] I’m not - I'm really not exaggerating this. Take care.
BROOKE GLADSTONE: Avivah Litan is a fraud and security analyst at Gartner. And here’s a word to the wise, from Experian.
[CLIP/MUSIC UP & UNDER]:
EXPERIAN SPOKESMAN: At any minute, you could be a victim of fraud. Most people don’t even know it. Fraud could mean lower credit scores, higher loan rates, and maybe not getting the car you want.