Cyber Incident Victim: Experian
Date:
Jan 2014
Location:
United States of America
Summary
Experian experienced repeated security breaches involving unauthorized access to its credit report database through compromised client login credentials, including an incident affecting the Colorado Bureau of Investigation. The breaches exposed consumer names, addresses, dates of birth, Social Security numbers, and financial account information contained in credit reports. The company offered affected individuals two years of complimentary credit monitoring limited to its own database, excluding other major credit bureaus. Regulatory criticism emerged regarding the frequency of these credential-based breaches and perceived inadequate protective measures, with reports indicating impacts across multiple states including Vermont, New Hampshire, and Maryland.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Experian incident reported in January 2014 involved unauthorized access to consumer credit reports through compromised client login credentials. Between January 30 and January 31, 2014, an attacker used stolen credentials belonging to the Colorado Bureau of Investigation (CBI) to access Experian's credit report database. The breach exposed affected consumers' names, addresses, and at least one additional sensitive data element per individual from the following categories: dates of birth, Social Security numbers, financial account information, or other credit report details. Experian detected the intrusion within the same two-day window of unauthorized access. Notification letters dated February 14, 2014, were sent to impacted individuals across multiple states, including confirmed reports to residents of Vermont, New Hampshire, and Maryland. This incident represented a recurring pattern of credential-based breaches at Experian, with the article noting approximately 100 similar prior incidents reported publicly since at least 2012.
Experian's response included offering two years of complimentary credit monitoring through its proprietary service, which exclusively monitored the Experian credit database rather than providing comprehensive surveillance across all three major credit bureaus (Experian, Equifax, and TransUnion). The company maintained this standardized remediation approach despite prior criticism regarding its effectiveness. Regulatory notifications were filed with the New Hampshire Attorney General's office and Vermont authorities, confirming at least seven affected consumers across three states. The breach highlighted systemic vulnerabilities in Experian's client authentication protocols, as compromised client credentials repeatedly provided full access to sensitive consumer data. Federal Trade Commission records indicated unresolved complaints about Experian's security practices dating back two years prior to this incident, with no publicly disclosed enforcement actions taken at the time of reporting.