Experian plc is a multinational data analytics and consumer credit reporting company headquartered in Dublin, Ireland. Experian collects and aggregates information on over 1 billion people and businesses including 235 million individual U.S. consumers and more than 25 million U.S. businesses.[5][6] It is listed on the London Stock Exchange and is a constituent of the FTSE 100 Index. Experian is a partner in USPS address validation. It is one of the "Big Three" credit-reporting agencies, alongside TransUnion and Equifax.[7]
In addition to its credit services, Experian also sells decision analytic and marketing assistance to businesses, including individual fingerprinting and targeting.[8] Its consumer services include online access to credit history and products meant to protect from fraud and identity theft.[9] Like all credit reporting agencies, the company is required by U.S. law to provide consumers with one free credit report every year.[10]
History
The company has its origins in Credit Data Corporation, a business which was acquired by TRW Inc. in 1968,[11] and subsequently renamed TRW Information Systems and Services Inc.[12]
In November 1996, TRW sold the unit, as Experian, to Bain Capital and Thomas H. Lee Partners.[13] Just one month later, the two firms sold Experian to The Great Universal Stores Limited in Manchester, England, a retail conglomerate with millions of customers paying for goods on credit (later renamed GUS).[14] GUS merged its own credit-information business, CCN, which at the time was the largest credit-service company in the UK, into Experian.[15]
In August 2005, Experian accepted a settlement with the Federal Trade Commission (FTC) over charges that Experian had violated a previous settlement with the FTC. The FTC alleged that ads for the "free credit report" did not adequately disclose that Experian customers would automatically be enrolled in Experian's $79.95 credit-monitoring program.[18][Note 1]
In January 2008, Experian announced that it would cut more than 200 jobs at its Nottingham office.[19]
Experian shut down its Canadian operations on 14 April 2009.[20]
In October 2017, Experian acquired Clarity Services, a credit bureau specialising in alternative consumer data.[22]
In October 2024, Experian agreed to acquire Brazilian digital fraud prevention provider ClearSale for $350 million.[23]
Operations
In the United States, like the other major credit reporting bureaus, Experian is chiefly regulated by the Fair Credit Reporting Act (FCRA). The Fair and Accurate Credit Transactions Act of 2003, signed into law in 2003, amended the FCRA to require the credit reporting companies to provide consumers with one free copy of their credit report per 12-month period. Like its main competitors, TransUnion and Equifax, Experian markets credit reports directly to consumers. Experian heavily markets its for-profit credit reporting service, FreeCreditReport.com, and all three agencies have been criticised and even sued for selling credit reports that can be obtained at no cost.[24][25]
Its market segmentation tool, Mosaic, is used by political parties to identify groups of voters. In the British version there are 15 main groups, broken down into 89 hyperspecific categories, from "corporate chieftains" to "golden empty-nesters" which can be taken down to the level of individual postcodes. It was first used by the Labour Party, but then taken up by the Conservatives in the 2015 General Election campaign.[26]
Sales to identity thieves
In 2013 a Vietnamese national, Hieu Minh Ngo,[27] was charged by the U.S. Department of Justice with attempting to sell personally identifiable information on hundreds of thousands of U.S. residents. This information had been allegedly purchased from Experian subsidiary and data aggregator Court Ventures. However, Ngo testified under oath that the information he had sold to identity thieves had actually been acquired from another hacker based in Russia, and not Experian or Court Ventures. Ngo then resold the information he acquired from the Russian hacker through the identity fraud enabling websites Superget.info and Findget.me.[28][29][30][31][32] The information offered for anonymous sale on these websites included individual's name, address, Social Security number, date of birth, place of work, duration of work, state driver's licence number, mother's maiden name, bank account number(s), bank routing number(s), email account(s) and other account passwords.[32]
Data breaches
2015
On 1 October 2015 Experian announced that they had discovered a data breach existing between 1 September 2013 and 16 September 2015. As many as 15 million people who used the company's services, among them customers of American cellular company T-Mobile who had applied for Experian credit checks, may have had their private information exposed.[33][34]
2020
In 2020 it was revealed that Experian had suffered a further data breach, on this occasion in South Africa.[35] Initially, Experian claimed that the incident had been contained[36] but subsequently this was shown to be untrue. Data on 24 million South Africans was leaked, as well as on nearly 800,000 businesses. Of these, 24,838 had financial details leaked.[37]
2021
In January 2021 a new leak was revealed in Brazil, with the source being linked to Experian's Brazilian subsidiary Serasa Experian. The breach resulted in data of 220 million citizens (including some already dead) being sold in the web. This is probably the most severe data breach in history, as it includes names, social security numbers, income tax declaration forms, addresses and other private information on nearly all Brazilian citizens.[38] Experian claims there's no evidence that its systems have been compromised, but this lack of evidence doesn't explain it being the only probable source for the data. According to a Brazilian consumer rights foundation, the company has not been handling the breach appropriately.[39]
2022
In late 2022 a flaw was revealed in Experian's website which allowed access to individual credit reports without full authentication, simply by changing the last part of the URL being requested from "/acr/oow/" to "/acr/report."[40] The flaw was fixed in early 2023, but it was not known how much data had been stolen through this security weakness.[41]