Connect with us

Hi, what are you looking for?

Tech & Science

API vulnerability triggers Experian data leak: What is to be done?

Secure identity and authorization controls need to be placed on APIs, to protect enterprise systems.

Checking a laptop for messages.
A computer being used in a workplace. — © Tim Sandle,
A computer being used in a workplace. — © Tim Sandle,

Major finance company Experian experienced a data leak due to an API vulnerability that exposed the credit scores of tens of millions of people living in the U.S. Bill Demirkapi, who is an independent security researcher, reported he had discovered the data exposure while reviewing student loan vendors online.

The significance of the leak was that it allowed any third-party user to find someone else’s credit score by searching their name and address and without any authentication controls in place.

While Experian subsequently patched the flaw, researchers believe other lending websites that work with the credit bureau may have the same weakness.

API is the initialism for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other. A common API vulnerability is with the use of illegitimate tokens to gain access to endpoints. Authentication systems themselves may be compromised, or expose an API key accidentally.

What are the implications, as many analysts expect, if the Experian vulnerability is replicated elsewhere? Looking into this issue for Digital Journal is Nathanael Coffing, co-founder and CSO of Cloudentity.

Coffing considers the implications of the data leak, noting: “This API security flaw leaked tens of millions of Americans’ credit scores and left Experian customers’ personal information vulnerable to fraud. Similar to the Walgreens data breach that occurred last year, this is a prime example of the importance of using identity and authorization as the baseline for security best practices at the API level.”

In terms of how these types of issues can be resolved, Coffing  advises: “Without secure identity and authorization controls placed on the API, a bad actor can easily obtain access to a user’s data simply by programmatically using names and addresses.”

There are potentially other issues bubbling under, says Coffing: “While this vulnerability was promptly resolved after it was identified, it is likely that other companies using similar APIs have also leaked users’ credit scores.”

In terms of the optimal action to take, Coffing recommends: “To prevent data leaks of this nature, companies must implement context-based, granular authorization in their APIs coupled with a Zero Trust approach to identity and access management. With these proactive security guardrails, companies can ensure users are properly authorized prior to accessing any sensitive information.”

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:

Social Media

They should be scared to death of facts. Lies should have consequences. When?

Tech & Science

The Nobel Prize in Medicine was awarded on Monday to two US scientists for discovering microRNA.

Business

Asian markets rose Monday after a blockbuster US jobs report soothed any concerns about the world’s top economy.

World

Israel began its commemorations Monday of the one-year anniversary of Hamas's deadly October 7 attack.