Three years ago today, I filed a complaint with the Federal Trade Commission about Experian’s data breaches.
Back then, I knew about 60 breaches of their credit reporting database due to client login credentials being misused. There were also other breaches of their database involving people being able to authenticate as others to obtain credit reports, but my complaint focused on client login credentials being misused. Keep in mind that this was all before the Court Ventures mess, too.
Under FTC’s procedures, I was never told what happened to my complaint, but I think we can all agree that we’ve never seen any announcement from the FTC concerning any consent order or data security enforcement action under Section 5. Nor have I seen any closing letter.
So here we are three years later. By now, I know of about 109 breaches of their database due to client login credentials being misused (not counting the Court Ventures mess). I stopped keeping track of the other type of breaches involving authentication, but there have been more of those, too.
And of course, what I know is likely only a subset of all of Experian’s breaches because most states do not have a centralized breach report database that can be obtained.
So is my complaint still under investigation by the FTC? Has the investigation been closed? We know nothing because of the FTC’s procedures for non-public investigations.
In the last three years, the FTC has pursued more than 50 data security enforcement cases. In my opinion, they have wasted incredible resources going after LabMD. In the meantime, Experian continues to compile more information on more consumers every day.
I’d love to know why there has been nothing public about this Experian complaint. Are they too big for the FTC to fight? Did FTC find the complaint unfounded for some reason? I would hope that no company is beyond the reach of the FTC when it comes to data security and protecting consumers.