Class Action Alleges Experian Didn't Stop Identity Thieves from Hijacking Accounts

'A class action lawsuit has been filed against big-three consumer credit bureau Experian,' reports Krebs on Security, 'over reports that the company did little to prevent identity thieves from hijacking consumer accounts.

The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim's personal information and a different email address. The lawsuit, filed July 28, 2022 in California Central District Court, argues that Experian's documented practice of allowing the re-registration of accounts without first verifying that the existing account authorized the changes is a violation of the Fair Credit Reporting Act.

The lawsuit even cites a July blog post from Krebs on Security. The blog post's title? 'Experian, You Have Some Explaining to Do.'

After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change... After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account's previously chosen PIN and recovery questions. Once I'd changed the PIN and security questions, Experian's site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?
Experian did send an automated message to the account's original email address when a new one was added, Krebs wrote, but wondered what good that would actually do. 'The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, 'this email address is no longer monitored'...'
'I could see no option in my account to enable multi-factor authentication for all logins...'

And Krebs added Friday that 'Since that story ran I've heard from several more readers who were doing everything right and still had their Experian accounts hijacked, with little left to show for it except an email alert from Experian saying they had changed the address on file for the account.'

Read more of this story at Slashdot.