Galexia
             home
       about us
        services
        projects
       research
          contact
» home » research » assets » dp72 credit submission 20071223  

Subscribe to Galexia news and announcements.
More information »

Identity Management and Authentication - Technical Consulting: Galexia has specialist consultants in the architecture of distributed identity solutions, including authentication, authorisation, accounting, auditing, single sign-on, federation, provisioning, synchronisation, public key infrastructure and emerging user-centric approaches. Find out more »

[2015 EU Cybersecurity Dashboard]

2015 EU Cybersecurity Dashboard
Find out more »

Submission - Credit Reporting Regulatory Framework: Submission to ALRC Privacy Inquiry (December 2007)

[« previous] [next »] [up] [title page] [full contents]

2.5. Security of data

Potential consumer harm relating to the security of credit reporting information includes concerns regarding the amount of data (in that it may become an attractive target for fraud), data breaches, unauthorised use, data retention and destruction policies.

However, the ALRC in DP72 believes that security concerns in credit reporting do not require specific regulation:

Proposal 54-9: The proposed Privacy (Credit Reporting Information) Regulations should contain no equivalent to s 18G(b) and (c), dealing with the security of credit information files and credit reports, as these obligations are adequately covered by the proposed ‘Data Security’ principle (UPP 8).

While UPP 8 does provide coverage of data security issues, it does not address concerns about the creation of very large data sets. UPP 8 applies equally to a single file or a massive database.

Credit reporting agencies have significant data holdings (Veda Advantage holds one of the largest private sector data sets in the region with over 14 million individual records). Concerns about data breaches are based on three fears:

  • The larger and more valuable a data set becomes, the more attractive it is as a target for fraud and unauthorised access;
  • The larger and more complex a data set becomes the more vulnerable it becomes to errors, accidents and negligence that result in a data breach; and
  • There is a history of security breaches at credit reporting agencies elsewhere.

Major credit reporting agencies in the US and Canada have reported data security breaches or identity theft losses in recent years:

  • US – TransUnion
    In December 2006, the TransUnion credit bureau investigated an unauthorised entry into their database, and an illegal download of hundreds of people's personal information. It was alleged that four different scam companies across the country stole more than 1,700 people’s credit information and social security numbers.[20]
  • US – Equifax
    In May 2006, Equifax credit agency acknowledged that a laptop computer containing employee names and Social Security numbers was stolen from a worker travelling on a train near London. The theft affected nearly all of the company's 2,500 US employees.[21]
  • US – Experian
    In June 2005, a new tenant to a building in Kansas City discovered that it was formerly occupied by the Topeka Credit Bureau and the Experian credit reporting agency. Inside the building, the tenant found the previous lessee had left ‘thousands and thousands’ of printed documents and numerous computerised records behind. The documents had personal data printed on them, including names, addresses and Social Security numbers, located in cabinets and within the drives of 10 to 20 computers.[22]
  • Canada – Equifax
    In February 2004, unauthorised remote access was gained to the personal, detailed credit files of more than 1,400 people on Equifax Canada’s database. The files contained social insurance numbers, bank account numbers, credit histories, home addresses and job descriptions. The breach was discovered in March of that year. More than 1,400 Canadians were notified of the breach via registered mail asking that they contact the agency to review the contents of their respected credit files.[23]

This Report concludes that, in line with the ALRC Proposal, UPP 8 should be the main requirement for data security in credit reporting. However, it is noted that a significant security issue in credit reporting is scale. With some data sets exceeding 14 million records containing multiple data fields of highly sensitive financial data, consumers are concerned about the vulnerability of credit reporting information to deliberate attack or neglect.

This issue is closely linked with the discussion of ‘more comprehensive reporting’ proposals in this Report at Section 2.13 (page 23). 

[20] Kxan.com, Credit Bureau Security Breached, 1 December 2006, <http://www.kxan.com/Global/story.asp?S=5752352>.

[21] Searchsecurity.com, Data theft affects 88 million-plus Americans, 21 June 2006, <http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1195270,00.html>.

[22] Consumeraffairs.com, Experian Abandons Thousands of Consumer Data Records, 15 June 2005, <http://www.consumeraffairs.com/news04/2005/experian_abandons_data.html>.

[23] Computerworld.com, Credit agency reports security breach, 17 March 2004, <http://www.computerworld.com/securitytopics/security/story/0,10801,91319,00.html>.

[« previous] [next »] [up] [title page] [full contents]

[view all]

[up to research]

 

Search for:

HERE

PrintVersionprint this page

Sitemapsitemap

Subcribe to RSS newsrss news feed

Manage email subscriptionsmanage email subscriptions

Latest News

September 2019
Register of Public Galexia PIAs. Read more »

September 2019
Updates to Galexia Website. Read more »

September 2019
PM&C / Office of the National Data Commissioner (ONDC) releases Discussion Paper and accepts recommendations from Galexia’s PIA on the proposed Data Sharing and Release legislative framework. Read more »

August 2019
Galexia providing privacy advice and an independent public Privacy Impact Assessment (PIA) on 2021 Census for ABS. Read more »

June 2019
Galexia completes privacy advice and an independent Privacy Impact Assessment (PIA) on the Naval Shipbuilding College Workforce Register. Read more »

view all news items »

[Home] [Sitemap] [Print this page] [Privacy statement]

© Galexia Pty Ltd
Telephone: +61 (02) 9660 1111
Email: [email protected]