Experian Hack

It has been almost a month that Experian reported a breach in which 15 million T-mobile customer accounts were said to be compromised. The information included names, addresses, email ids, social security numbers and few more details of the T-mobile customers in USA. Though Experian was quick to react before the information could have been misused to that effect, yet it was a scary news for those 15 million individuals and others who are T-mbile customers or those who have accounts with any of the service providers who use Experian as the Credit verification agency.  
For those who think they are not impacted, they need to rethink about not getting worried because Experian is one Credit Reporting Agency and if its systems can be compromised, then the other Credit Agencies  too can be. What does that mean to common man? Well, take control of your information that is stored, processed and transmitted by the Credit Reporting Agencies (TransUnion & Equifax included). 
As a reaction to the hack, Experian announced two year free Identity Theft protection service “ProtectMYID” for affected T-mobile customers.  Now, the big question that arises here is – “Why is it a reactive announcement and why is it that they otherwise are charging to monitor misuse of our information that they store/process/transmit?” Isn’t it just logical to ensure that they or the service providers from whom we obtain the service should actually be providing this service as a complimentary service? Also, why should Experian provide us this service free only for 2 years? Is there a logical conclusion by them that the hackers will not misuse the data after two years?  Well, I guess they are just trying to shrug off their responsibility to protect our information available on their systems.  First of all they had their systems configured in a manner that got compromised and then they are offering something to show off to the world that they care.  Not something that I would buy with any sort of logic, though I would be the first person to avail immediate patch work offer from them to ensure data regarding myself and my family is not misused impacting my Credit Ratings.
So what does that mean for the Federal Regulators like FDIC should first look at amending the Fair Credit Reporting Act (FCRA) or State Regulations like Consumer Credit Reporting Agencies Act (as referred in California) need to be amended to ensure that the Credit Reporting Agencies are legally bound to secure Consumer Information.  At the same time, the Credit Rating Agencies must consider reviewing their current Security Architectures for access provisions and data flows to identify the possible loopholes that may leave enough space for data compromise like Experian. A composite review is the mandate of time and certainly the Audit reports by independent Auditors must be submitted to the regulators.  This needs to be a time bound activity to ensure that the Credit Reporting Agencies take required remedial measures to ensure that they step up the security provisions and ensure that such future breaches are thwarted right at the attempt level itself rather than letting it to be a news post breach.  It certainly is an important step to be proactive in securing the data and information rather than taking reactive measures that sometimes may result in an organization getting booted from business.
The Experian Breach should not be looked at just limited to T-mobile or Experian for that matter, the industry should take it as an alarm for the future attacks that hackers may be planning to gain more information and if they could get through the doors of Experian, they may get through the doors of other such agencies.  It is important that proactive measures and steps are taken to secure Consumer Data / Information for which these organizations are custodians, not the owners.  
____________________________________
Disclaimer: The views expressed above are solely of the Author and are not endorsed by any organization, individual or industry body for that matter.