Experian uses strange data theft to push rebranded 'Triple Advantage'

safesOver the weekend I got a letter in the mail from a company called ECMC in Chanhassen, Minn., warning me of a possible theft of my personal data. Letters like these have become, unfortunately, commonplace in recent years.

Here's the first paragraph:
We at ECMC, a guarantor of federal student loans, regret to inform you of a recent data theft from our facility in Oakdale, MN that may affect you. We believe that information about your student loan, including your name, Social Security number, address, and date of birth was stolen, resulting in the potential loss of your personal information. We want to assure you that no savings, checking or credit card account numbers were included in the data theft. Since this incident we have enhanced our electronic and physical security protocol. We have also received further recommendations from an external security partner that are being reviewed by our incident response team and we are enhancing both security protocols. (Italics added)

Most people, me included, didn't really pay enough attention until the ChoicePoint disaster in 2005. This theft made headlines: The Wall Street Journal reported that 3.3 million people, or 5% of student loan holders, were possibly affected in the largest case of its kind.

So I wanted to know: What does ECMC do? In its own words, "We are one of the country's top 10 guaranty agencies and the U.S. Department of Education's designated provider for student loan bankruptcy services." They're also in search of for-profit revenue streams, according to this page of their site.

But this theft case gets curiouser and curiouser, starting from the way the theft went down: Thieves broke into ECMC the weekend of March 20, carted away two 200-pound safes containing the data records on 650 CDs and floppies, jacked the safes open and dumped the contents, later found by local Minneapolis cops. Despite the high-profile nature of the case, the cops left the data in an evidence room pretty much in the open for almost a month. The data is now back at ECMC, apparently unscathed, and there's a suspect yet to be named in custody who is not an ECMC employee, past or present.

The safes were behind a locked door inside an office that requires a card key to get in, an ECMC executive told the Oakdale-Lake Elmo Review. "It was obvious a theft had occurred, how they were able to get through the levels of security that they have, we still don't understand that."

Now let's step back from the details of the case. First, I haven't had a student loan in 20 years. I frankly doubt my name was among the 3.3 million on those CDs and floppies. Even if it was, it sounds like the data was recovered undisturbed -- very unusual in these kinds of cases. Second, my ECMC letter is dated March 31, but it arrived in my mailbox May 1, two weeks after the data was recovered and the suspect caught, and a month and a half after the theft. In that amount of time, someone could have cloned my DNA, flown to Vegas and dropped $500k at the Wynn. Third, reading the ECMC letter further, I came across this paragraph:
What we are doing
ECMC has arranged with ConsumerInfo.com, Inc., an Experian company to provide you with up to 12 months of free Triple Alert (SM) coverage, a comprehensive three bureau credit monitoring membership to help protect your identity and credit. We strongly encourage you to go online and enroll in Experian's Triple Alert (SM) product immediately. (no emphasis added)
So I decided to sign up with the "individual activation code," and landed on a page welcoming me to my free year's subscription and promptly soliciting me for $19.95 for my three-bureau credit score. Yes, "Triple Alert" is the same product as Triple Advantage -- you know, as in, "Offer applies with enrollment in Triple Advantage," the phrase that guy says really fast at the end of those credit report commercials that the Federal Trade Commission poked fun at? And the same ConsumerInfo.com that settled with the FTC for $1 million five years ago for deceptive advertising?

I called Dublin, Ireland-based Experian's corporate press office in Costa Mesa, Calif., to confirm this really was a marketing pitch. But the company would not directly answer any question, with a spokeswoman for Experian only saying the company "does not comment on data breach."

So a non-profit student loan guarantor that wants to become a for-profit has teamed up with the corporation that does those catchy-credit-report songs (that are meant to direct you away from the federally mandated AnnualCreditReport.com, which actually is free), who are in reality one of the big three credit bureaus?

The student loan bankruptcy data people who let "my" personal information walk out of a locked room and a guarded gate and get trashed in some frozen city are joining forces with the Triple Advantage people to sell my own credit data back to me? Are you with me, camera guy?
Read Full Story