Major finance company Experian experienced a data leak due to an API vulnerability that exposed the credit scores of tens of millions of people living in the U.S. Bill Demirkapi, who is an independent security researcher, reported he had discovered the data exposure while reviewing student loan vendors online.
The significance of the leak was that it allowed any third-party user to find someone else’s credit score by searching their name and address and without any authentication controls in place.
While Experian subsequently patched the flaw, researchers believe other lending websites that work with the credit bureau may have the same weakness.
API is the initialism for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other. A common API vulnerability is with the use of illegitimate tokens to gain access to endpoints. Authentication systems themselves may be compromised, or expose an API key accidentally.
What are the implications, as many analysts expect, if the Experian vulnerability is replicated elsewhere? Looking into this issue for Digital Journal is Nathanael Coffing, co-founder and CSO of Cloudentity.
Coffing considers the implications of the data leak, noting: “This API security flaw leaked tens of millions of Americans’ credit scores and left Experian customers’ personal information vulnerable to fraud. Similar to the Walgreens data breach that occurred last year, this is a prime example of the importance of using identity and authorization as the baseline for security best practices at the API level.”
In terms of how these types of issues can be resolved, Coffing advises: “Without secure identity and authorization controls placed on the API, a bad actor can easily obtain access to a user’s data simply by programmatically using names and addresses.”
There are potentially other issues bubbling under, says Coffing: “While this vulnerability was promptly resolved after it was identified, it is likely that other companies using similar APIs have also leaked users’ credit scores.”
In terms of the optimal action to take, Coffing recommends: “To prevent data leaks of this nature, companies must implement context-based, granular authorization in their APIs coupled with a Zero Trust approach to identity and access management. With these proactive security guardrails, companies can ensure users are properly authorized prior to accessing any sensitive information.”