Connect with us

Hi, what are you looking for?

Tech & Science

API vulnerability trigger Experian data leak: What is to be done?

One of the big three finance house has been hit by a cyberattack. What lessons can be learnt from this?

Photo: © Lionel Bonaventure AFP
Photo: © Lionel Bonaventure AFP

Major finance company Experian experienced a data leak due to an API vulnerability that exposed the credit scores of tens of millions of people living in the U.S. Bill Demirkapi, who is an independent security researcher, reported he had discovered the data exposure while reviewing student loan vendors online.

The significance of the leak was that it allowed any third-party user to find someone else’s credit score by searching their name and address and without any authentication controls in place.

While Experian subsequently patched the flaw, researchers believe other lending websites that work with the credit bureau may have the same weakness.

API is the initialism for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other. A common API vulnerability is with the use of illegitimate tokens to gain access to endpoints. Authentication systems themselves may be compromised, or expose an API key accidentally.

What are the implications, as many analysts expect, if the Experian vulnerability is replicated elsewhere? Looking into this issue for Digital Journal is Nathanael Coffing, co-founder and CSO of Cloudentity.

Coffing considers the implications of the data leak, noting: “This API security flaw leaked tens of millions of Americans’ credit scores and left Experian customers’ personal information vulnerable to fraud. Similar to the Walgreens data breach that occurred last year, this is a prime example of the importance of using identity and authorization as the baseline for security best practices at the API level.”

In terms of how these types of issues can be resolved, Coffing  advises: “Without secure identity and authorization controls placed on the API, a bad actor can easily obtain access to a user’s data simply by programmatically using names and addresses.”

There are potentially other issues bubbling under, says Coffing: “While this vulnerability was promptly resolved after it was identified, it is likely that other companies using similar APIs have also leaked users’ credit scores.”

In terms of the optimal action to take, Coffing recommends: “To prevent data leaks of this nature, companies must implement context-based, granular authorization in their APIs coupled with a Zero Trust approach to identity and access management. With these proactive security guardrails, companies can ensure users are properly authorized prior to accessing any sensitive information.”

Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:


A hypersonic missile launches from Hawaii last year as part of the US testing programme. The test missile flew at more than five times...


US Special Representative for North Korea Policy Sung Kim speaks to reporters outside of the State Department - Copyright GETTY IMAGES/AFP/File Kevin DietschA US...


Canadian Prime Minister Justin Trudeau lays flowers at a memorial outside of the Kamloops Indian Residential School in Kamloops, British Columbia - Copyright GETTY...


The US employment market is highly geared to what could politely be called outdated structural protocols.