I read it the same way, but that would have been pretty bad in and of itself. Why should an ID theft prevention service have data on me unless I have a business relationship with them?
And they can sell what they call the "header" of your credit report without regulation (such as the FCRA). This info includes your name, address, ssn and dob. Or at least it did when I bought it in the 90's to build a service to find dead-beat dads. I've heard they are more restrictive on the SSN, but I also would bet that's the #1 data element for the ID thefters.
I don't understand why the U.S. is so opposed to a nationwide ID, and yet obviously need one, and end up treating other documents less suited to the task as one.
Here in Uruguay (and almost everywhere else) we have a national ID number (Cédula de Identidad). It's not supposed to be secret (although it's not a great idea to divulge it freely).
An SSN is quite a good ID in that it should uniquely identify WHO is being discussed but it is a lousy authenticator to prove you ARE the person being discussed. Unfortunately in the US it seems to be regarded as a shared secret (between you, every credit reference agency, significant portions of the government, every bank you use, every employer you have and significant numbers of people working for all those groups) that they then use as authentication. What is needed is a separate authentication process.
If you want to use credit, you have to let lenders collaborate to determine whether they're willing to lend to you, if that's their criteria for making decisions.
If you don't want to use credit, they get no special pass to store and use personal data about you.
I'm from Europe, where generally personal privacy gets more emphasis than it seems to in some places, notably the US. We have explicit laws about collecting and processing personal data, but certain organisations seem to get a free pass for no apparent reason. As this story demonstrates, the risks are still there.
That said, perhaps we shouldn't be too worried. The last time I paid a little real money to get hold of my personal credit report from one of these credit reporting organisations, it was so riddled with obvious errors, including more than a few wildly inaccurate data points, that I was on the phone to them for something like half an hour to get them to correct everything. At that point (I kid you not) the woman on the phone asked if I would be much longer because it was the end of the day and time for her to go home.
I'm convinced that those 'errors' on reports are actually phishing.
When I ordered my reports I paid with postal orders, so as not to leak any financial information back to the agencies. I'm glad I did so, as the details ( other than my mortgage ) were laughably incorrect.
I was on the verge of writing to correct them and then caught myself - that's exactly what they want, isn't it? So hopefully by now they've diverged even further from the truth.
Well, sure, that's a description of what they do, but it doesn't explain why they should have access to this information. In a marketplace, perhaps there doesn't really need to be a "why". But the same "why" should apply to Experian as it would to an ID Theft-Prevention service (the hypothetical thing that we were discussing in this comment thread, and the reason I asked this question in the first place).
That is, Experian's longevity and importance makes them more reputable. Their function as a business, certainly, is to collect, analyze, and repackage this data. But these things should not give them a free pass on the "why" question that greenyoda posed, if the question is going to be asked at all.
Experian is one of the big three credit reporting agencies; their databases are used to determine whether you qualify for a loan. They are your credit record...
The post is saying that a service that aids scammers purchased data from Experian.
Seeing the title, I initially thought it meant that Experian sold data to an ID Theft-prevention service, which would be less bad.