Experian flaw, millions of consumers urged to change PIN

Here are some options that can ensure your credit is safe and clear An option for optimal security is freezing your credit through each of the three credit bureaus If you haven't already frozen your credit, now would be the time since Equifax recently got hacked Experian IdentityWorks also offers a free 30-day trial membership for identity theft protection and resolution TransUnion offers free identity protection through its TrueIdentity program Those with specific questions about the Equifax breach may c

After report of an online flaw with customer logins, a consumer watchdog has urged consumers to change their passwords on Experian, one of the three agencies that hold data on hundreds of millions of Americans.

The company says it’s not needed.

But either way, news of the problem was another reminder of consumer dependence on companies to protect their personal information. It came a year after the revelation of a massive data breach at Atlanta-based Equifax.

Consumer advocacy group U.S. PIRG says the company needs to be more open about the flaw and urges consumers to change their personal identification numbers – the PINs – used to freeze credit. U.S. PIRG says the only way to change the PIN is to remove a credit freeze and then place a new freeze.

Consumers should start by checking their credit reports at Experian to see if there are fraudulent accounts, said Mike Litt, U.S. PIRG’s consumer campaign director. “The security flaw appears to be fixed, but Experian still needs to notify consumers of the risk and tell them how to protect themselves.”

However, the company has confidence in its protections, said a spokesperson. “Taking into consideration the layers of security controls we have in place and that there is no risk to credit file data or (information that identifies consumers), we don’t feel it is necessary to replace PINs.”

Along with Atlanta-based Equifax, whose breach exposed private information of an estimated 148 million Americans, Experian is one of the three credit agencies that handle massive amounts of consumer and business data. Consumers have no practical way to keep their data, such as social security numbers, drivers license information and personal finances, from being collected by the agencies.

Experian says it has credit information on more than 220 million U.S. consumers, demographic information on 300 million people as well as data on 800 million vehicles and 40 million U.S. businesses.

While businesses are the customers of the credit agencies, consumers do have the option of freezing their credit – that is, preventing the opening of new credit lines as a defense against identity theft.

But a report from NerdWallet, a web-based consumer site, says that for some unknown period, Experian's website had a flaw that left open the numbers that permit a consumer to open and close credit lines.

The Experian system was set up to ask a user four personal questions before allowing them access. However, a user that did not know the answers could click “none of the above” to all the questions and would be given the PIN.

The California-based credit agency says the flaw has been fixed, but has not responded to questions about how long the flaw existed.

Passwords are a crucial part of interplay between consumers and the financial system.

Equifax, which has spent several hundred million dollars improving its infrastructure since the 2017 data breach, says that passwords are largely up to consumers.

A user should not use the same password for multiple accounts or share them with acquaintances, said Nancy E. Bistritz-Balkan, Equifax vice president. “Make sure that the password is strong.”