URL hack exposes data privacy issues

Krebs on Security post highlights data privacy issues enabling full credit reports to be downloaded with just four pieces of customer information.
14 February 2023

Customers have the right to see the data that companies hold on them. But poorly implemented access can lead to data privacy issues. Image credit: Shutterstock Generate.

It’s often the case that a few things have to go wrong to expose data privacy issues. But when they do, the pain for customers – who should, thanks to consumer protection, have their privacy strengthened, not weakened – is bad. Really bad. A recent example is a URL hack relating to Experion, a consumer credit reporting company, which cybersecurity journalist Brian Krebs – a former reporter for The Washington Post – has brought to light. According to correspondence received by Krebs from Experion, a technical issue left the door open for 47 days, enabling full credit reports to be downloaded with just four pieces of customer information.

On TechHQ, we’ve written previously about how data privacy issues can arise even when information officers have taken steps to anonymize individuals in research data. Identifying features can be surprisingly easy to track down, even in very large data sets– for example, if your height is unusual for your weight. But sometimes bad actors can just jump straight into your records and steal your data without having to solve any such puzzles. And, in the Experion case highlighted by Krebs, all it takes – according to his investigation – is a few pieces of personally identifiable information (PII) and some URL knowledge gleaned from Telegram chat channels.

Access check

Organizations such as credit-scoring firms are prime targets for data thieves. Credit reports can be packed full of customer information and reveal how people pay their bills and whether they’ve filed for bankruptcy. For consumers, the contents affect major purchases, loan terms, and can even become a factor in hiring decisions. Given the importance of an individual’s credit report, consumers should be able to check their data to make sure that it’s accurate and raise any errors with the agencies holding the information.

The US Federal Trade Commission makes clear that credit bureaus must provide individuals access to a free copy of their credit report every 12 months. And this was the window that shook loose, giving anyone who knew an individual’s name, address, birthday, and social security number free access to that person’s full credit report. In the URL hack described by Krebs in his blog post, switching a few characters in the final part of the address allowed visitors to bypass knowledge-based authentication (KBA) questions and access customer information.

KBA questions are far from a rock-solid security measure. But they will deter some adversaries, especially if good security practices are deployed such as limiting the number of re-tries – in this case – if a user provides the wrong answer to a KBA question. As Krebs points out, however, there is little point in having KBA questions if they are based on information that can be readily found in the public domain. Social media has made it much easier for bad actors to discover all kinds of user details – where individuals like to eat, go on holiday, their home town, pets’ names, and other information that could end up in a KBA security quiz.

Krebs has written previously in 2022 about how identity thieves were able to exploit security weaknesses to hijack Experion consumer accounts. Again, it shouldn’t be so straightforward for bad actors to gain access, but sadly data privacy issues have become all too common. And the almost weekly cycle of data breaches, from firms that should know better or have taken more steps to educate themselves, doesn’t help. Also, just because a data breach has only spilled a couple of fields of customer information doesn’t mean that those affected can sleep easy. Partial data breaches are dangerous too, when so much information is now out in the wild. Adversaries will waste no time in piecing together somebody’s PII if that information is valuable.

Addressing customer concerns

But how can consumers determine that their information will be safely secured on a firm’s database or network? Regulations such as GDPR mandate that companies holding customer details must be more prepared for a personal data breach – promptly contacting those affected and having a response plan. But what about minimizing the risk of personal data breaches happening in the first place? The UK’s Information Commissioner’s Office (ICO) – an independent body set up to uphold information rights – has a useful no-nonsense guide to help organizations improve the security of their data and keep it from getting lost, damaged or stolen.

Proactive clients should ask questions of their service providers to determine whether they are aware of data security best practices, such as the steps described by the ICO. And often, much can be deduced about the risk of data privacy issues by navigating to an organization’s security page on their website – starting with the question, do they have a security page on their website? If a prospective service provider doesn’t, it might be worth seeking out a competitor that does. And, better still, one that includes policies, which spell out the steps taken to look after your information and combat data privacy issues.