Another credit reporting agency has had a security problem.
A flaw in Experian’s computer system exposed users’ PINs — personal identification numbers — for credit freezes, to whoever put in “none of the above” as the answer to security questions, according to a report by Nerdwallet.
The site confirmed the flaw with multiple users who had credit freezes through Experian, who were able to reproduce the weak security.
Mike Litt, a director for consumer group PIRG said that he was also able to reproduce this error.
“This means that even if you had taken the step to freeze your Experian credit report, an identity thief could have unfrozen it and still tried to open a credit account in your name,” he said in an email to Yahoo Finance.
In a statement, an Experian spokesperson said that the company is “confident” that the “authentication is secure and no credit files are at risk.” The company also said it has taken additional steps to secure the process and monitor the systems.
The security flaw comes at a tough time for credit reporting agencies, which are the companies Americans must do business with indirectly, as banks and other financial institutions rely on the data they collect to analyze credit inquiries.
Last September, news broke that Equifax — not to be confused with Experian, which along with TransUnion make up the big three credit agencies — had been breached and data for 146.6 million people had been compromised. The data included sensitive personal information such as Social Security numbers, credit card information, and even passport photos.
In the fallout, consumers wondered why the agency was able to have such lax security while having so much data, and at the same time questioned their relationship with these companies that many never knew they had.
The Experian flaw that exposed credit freeze PINs is not as egregious as a breach, but it shakes the notion, which became prevalent in the wake of the Equifax crisis, that credit freezes were a panacea to the new normal of compromised data. (And as of last month, Americans could freeze their credit for free, a law passed in response to the Equifax hack.)
If a freeze is not secure, and the data is out on the dark web, a freeze alone will not save credit from ID thieves. The only solution, it seems, is for consumers to have to practice good “credit hygiene” and check one of the three bureaus every four months, cycling so each is pulled every 12 months. This is free to do at AnnualCreditReport.com, a website set up by the three major companies.