Threat actors could exploit Experian's knowledge-based verification offering Precise ID to facilitate partial Social Security number leaks, according to CyberScoop.
Such an exploit was discovered by security researcher Lucky225, who identified the vulnerability after trying to register for the Pacific Gas and Electric Company.
Two healthcare firms and a state health agency's vaccination verification system have also been discovered to have been using the Experian Precise ID.
Further investigation by CyberScoop revealed that the Illinois Department of Health used the system for its "Vax Verify" portal but stopped using the system's question-asking functionality for partial SSN identification. Identity verification systems similar to Experian's have become extremely vulnerable to cyberattacks, which should prompt organizations to adopt multi-factor authentication instead, said SocialProof Security CEO Rachel Tobac.
"Its extremely easy to leak sensitive data through these identity verification methods... When I have access to SSN data (or other data like mothers maiden name, addresses you've lived at, date-of-birth), it allows me to quickly get past customer support identity verification methods because I can simply answer the questions correctly as you would," Tobac added.