Connect with us

Hi, what are you looking for?

Tech & Science

API vulnerability triggers Experian data leak: What is to be done?

Secure identity and authorization controls need to be placed on APIs, to protect enterprise systems.

Checking a laptop for messages.
Image by Tim Sandle, of a computer being used in a workplace.
Image by Tim Sandle, of a computer being used in a workplace.

Major finance company Experian experienced a data leak due to an API vulnerability that exposed the credit scores of tens of millions of people living in the U.S. Bill Demirkapi, who is an independent security researcher, reported he had discovered the data exposure while reviewing student loan vendors online.

The significance of the leak was that it allowed any third-party user to find someone else’s credit score by searching their name and address and without any authentication controls in place.

While Experian subsequently patched the flaw, researchers believe other lending websites that work with the credit bureau may have the same weakness.

API is the initialism for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other. A common API vulnerability is with the use of illegitimate tokens to gain access to endpoints. Authentication systems themselves may be compromised, or expose an API key accidentally.

What are the implications, as many analysts expect, if the Experian vulnerability is replicated elsewhere? Looking into this issue for Digital Journal is Nathanael Coffing, co-founder and CSO of Cloudentity.

Coffing considers the implications of the data leak, noting: “This API security flaw leaked tens of millions of Americans’ credit scores and left Experian customers’ personal information vulnerable to fraud. Similar to the Walgreens data breach that occurred last year, this is a prime example of the importance of using identity and authorization as the baseline for security best practices at the API level.”

In terms of how these types of issues can be resolved, Coffing  advises: “Without secure identity and authorization controls placed on the API, a bad actor can easily obtain access to a user’s data simply by programmatically using names and addresses.”

There are potentially other issues bubbling under, says Coffing: “While this vulnerability was promptly resolved after it was identified, it is likely that other companies using similar APIs have also leaked users’ credit scores.”

In terms of the optimal action to take, Coffing recommends: “To prevent data leaks of this nature, companies must implement context-based, granular authorization in their APIs coupled with a Zero Trust approach to identity and access management. With these proactive security guardrails, companies can ensure users are properly authorized prior to accessing any sensitive information.”

Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:


This transmission electron microscope image shows SARS-CoV-2—also known as 2019-nCoV, the virus that causes COVID-19—isolated from a patient in the U.S. Virus particles are...


If all this very basic information makes the point that these drugs are truly bad, that was the good news. The news for users...


WikiLeaks founder Julian Assange will learn Monday whether he can appeal to Britain’s Supreme Court against a High Court ruling.


French designer Thierry Mugler, who reigned over fashion in the 1980s, died on Sunday at the age of 73 of "natural causes".