Editing Experian (section)

==Data breaches==

=== 2015 ===
[[File:2015-10-05 experian-letter-redacted.jpg|thumb|upright|Letter from Experian North America CEO, Craig Boundy, informing T{{Non breaking hyphen}}Mobile customer their [[personal information]] was compromised in Experian server hack.]]
On 1 October 2015 Experian announced that they had discovered a [[data breach]] existing between 1 September 2013 and 16 September 2015. As many as 15 million people who used the company's services, among them customers of American cellular company [[T-Mobile US|T-Mobile]] who had applied for Experian credit checks, may have had their [[private information]] exposed.<ref>{{Cite news |last=Thielman |first=Sam |date=2 October 2015 |title=Experian hack exposes 15 million people's personal information |work=The Guardian |location=London |url=https://www.theguardian.com/business/2015/oct/01/experian-hack-t-mobile-credit-checks-personal-information |url-status=live |access-date=2015-10-26 |archive-url=https://web.archive.org/web/20170201120620/https://www.theguardian.com/business/2015/oct/01/experian-hack-t-mobile-credit-checks-personal-information |archive-date=1 February 2017}}</ref><ref>{{Cite web |title=Experian Breach Affects 15 Million Consumers |date=5 October 2015 |url=https://krebsonsecurity.com/2015/10/experian-breach-affects-15-million-consumers/ |url-status=live |archive-url=https://web.archive.org/web/20170916120259/https://krebsonsecurity.com/2015/10/experian-breach-affects-15-million-consumers/ |archive-date=16 September 2017 |access-date=2017-09-23 |publisher=Krebs on Security}}</ref>

=== 2020 ===
In 2020 it was revealed that Experian had suffered a further data breach, on this occasion in South Africa.<ref>{{Cite news |title=Experian Data Breach |work=SABRIC |url=https://www.sabric.co.za/media-and-news/press-releases/experian-data-breach |access-date=2020-10-29 |archive-date=31 October 2020 |archive-url=https://web.archive.org/web/20201031153817/https://www.sabric.co.za/media-and-news/press-releases/experian-data-breach |url-status=live}}</ref> Initially, Experian claimed that the incident had been contained<ref>{{Cite news |last=Shange |first=Naledi |date=2020-08-20 |title=How Experian was duped into handing over data on 24 million South Africans |work=TimesLIVE |location=South Africa |url=https://www.timeslive.co.za/news/south-africa/2020-08-20-how-experian-was-duped-into-handing-over-data-on-24-million-south-africans |access-date=2020-10-29 |archive-date=31 October 2020 |archive-url=https://web.archive.org/web/20201031153917/https://www.timeslive.co.za/news/south-africa/2020-08-20-how-experian-was-duped-into-handing-over-data-on-24-million-south-africans/ |url-status=live}}</ref> but subsequently this was shown to be untrue. Data on 24 million South Africans was leaked, as well as on nearly 800,000 businesses. Of these, 24,838 had financial details leaked.<ref>{{Cite news |last=Hosken |first=Graeme |date=2020-09-13 |title=Data from huge Experian breach found on the internet |work=The Sunday Times |location=South Africa |url=https://www.timeslive.co.za/sunday-times/news/2020-09-13-data-from-huge-experian-breach-found-on-the-internet |access-date=2020-10-29 |archive-date=31 October 2020 |archive-url=https://web.archive.org/web/20201031153850/https://www.timeslive.co.za/sunday-times/news/2020-09-13-data-from-huge-experian-breach-found-on-the-internet/ |url-status=live}}</ref>

=== 2021 ===
In January 2021 a new leak was revealed in Brazil, with the source being linked to Experian's Brazilian subsidiary Serasa Experian. The breach resulted in data of 220 million citizens (including some already dead) being sold in the web. This is probably the most severe data breach in history, as it includes names, social security numbers, income tax declaration forms, addresses and other private information on nearly all Brazilian citizens.<ref>{{Cite news |title=The largest personal data leakage in Brazilian history |work=OpenDemocracy.net |url=https://www.opendemocracy.net/en/largest-personal-data-leakage-brazilian-history |access-date=2021-02-22 |archive-date=24 February 2021 |archive-url=https://web.archive.org/web/20210224140707/https://www.opendemocracy.net/en/largest-personal-data-leakage-brazilian-history/ |url-status=live}}</ref> Experian claims there's no evidence that its systems have been compromised, but this lack of evidence doesn't explain it being the only probable source for the data. According to a Brazilian consumer rights foundation, the company has not been handling the breach appropriately.<ref>{{Cite news |title=Experian Challenged Over Massive Data Leak in Brazil |work=ZDNET |url=https://www.zdnet.com/article/experian-challenged-over-massive-data-leak-in-brazil/ |access-date=2021-02-22 |archive-date=22 February 2021 |archive-url=https://web.archive.org/web/20210222132857/https://www.zdnet.com/article/experian-challenged-over-massive-data-leak-in-brazil/ |url-status=live}}</ref>

=== 2022 ===

In late 2022 a flaw was revealed in Experian's website which allowed access to individual credit reports without full authentication, simply by changing the last part of the URL being requested from "/acr/oow/" to "/acr/report."<ref>{{cite web |last1=Krebs |first1=Brian |author1-link=Brian Krebs |title=Identity Thieves Bypassed Experian Security to View Credit Reports |url=https://krebsonsecurity.com/2023/01/identity-thieves-bypassed-experian-security-to-view-credit-reports/ |website=Krebs on Security |date=10 January 2023 |access-date=16 November 2024}}</ref> The flaw was fixed in early 2023, but it was not known how much data had been stolen through this security weakness.<ref>{{cite web |title=A Guide to Building Secure Web Applications/Preventing Common Problems/Parameter Manipulation |url=https://www.cgisecurity.com/owasp/html/ch11s04.html |website=CGIsecurity |access-date=16 November 2024}}</ref>