Connect with us

Hi, what are you looking for?

Tech & Science

API vulnerability triggers Experian data leak: What is to be done?

Secure identity and authorization controls need to be placed on APIs, to protect enterprise systems.

Checking a laptop for messages.
A computer being used in a workplace. — © Tim Sandle,
A computer being used in a workplace. — © Tim Sandle,

Major finance company Experian experienced a data leak due to an API vulnerability that exposed the credit scores of tens of millions of people living in the U.S. Bill Demirkapi, who is an independent security researcher, reported he had discovered the data exposure while reviewing student loan vendors online.

The significance of the leak was that it allowed any third-party user to find someone else’s credit score by searching their name and address and without any authentication controls in place.

While Experian subsequently patched the flaw, researchers believe other lending websites that work with the credit bureau may have the same weakness.

API is the initialism for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other. A common API vulnerability is with the use of illegitimate tokens to gain access to endpoints. Authentication systems themselves may be compromised, or expose an API key accidentally.

What are the implications, as many analysts expect, if the Experian vulnerability is replicated elsewhere? Looking into this issue for Digital Journal is Nathanael Coffing, co-founder and CSO of Cloudentity.

Coffing considers the implications of the data leak, noting: “This API security flaw leaked tens of millions of Americans’ credit scores and left Experian customers’ personal information vulnerable to fraud. Similar to the Walgreens data breach that occurred last year, this is a prime example of the importance of using identity and authorization as the baseline for security best practices at the API level.”

In terms of how these types of issues can be resolved, Coffing  advises: “Without secure identity and authorization controls placed on the API, a bad actor can easily obtain access to a user’s data simply by programmatically using names and addresses.”

There are potentially other issues bubbling under, says Coffing: “While this vulnerability was promptly resolved after it was identified, it is likely that other companies using similar APIs have also leaked users’ credit scores.”

In terms of the optimal action to take, Coffing recommends: “To prevent data leaks of this nature, companies must implement context-based, granular authorization in their APIs coupled with a Zero Trust approach to identity and access management. With these proactive security guardrails, companies can ensure users are properly authorized prior to accessing any sensitive information.”

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:


Emmy-nominated actor Justin Hartley is chasing ghosts in the new episode titled "Aurora" on '"Tracker" on CBS.

Social Media

Do you really need laws to tell you to shut this mess down?


Former US President Donald Trump speaks to the press in New York City - Copyright POOL/AFP Curtis MeansDonald Trump met with former Japanese prime...


Actors Corey Cott and McKenzie Kurtz star in "The Heart of Rock and Roll" on Broadway.