Anyone else experienced this?
A friend just tried to access his account information online via the Social Security Adminstration's web portal. He was told his online account had been cancelled and that he would have to create a new account as of January 1st. Suddenly, he was redirected to an Experian web site that started asking obscure personal "security questions" that proved impossible to answer and he was locked out of his account. (Do you remember all the license tags for any cars that could have been in your name for the last 10 years?)
After several hours of waiting on hold ('yes, we're getting a lot of calls from people having problems with this...') so he could start over, it appears that inaccurate information may have been entered and there's no way to fix it except by visiting a SS field office in person. I'm guessing this sounds familiar to ANYONE who's ever had to deal with Experian with an error on their credit report in the past.
What has happened is this: in response to concerns about the security of the massive amounts of sensitive data held by the Social Security Administration, someone thought it would be a good idea to award the contract to Experian. Experian seems to have merged with some other world-wide agencies under the banner of "A Single Version of the Truth" (not kidding) and are now offering their expertise in identity verification.
On the surface, this seems to be a violation of our expectation of privacy with respect to the massive volume of data that the Social Security Administration collects on all individual's employment history. Secondly: Experian may now have the ability to correlate and data mine this secure information combined with all the other records they collect about individuals - and we have no control over how this information will be used or verification of it's accuracy.
Finally: Experian has always had a terrible record for accuracy of their records. They have a poor documented record with the public (when you can find them - they obviously scrub well - not much on Google) and that aligns with my direct personal experience over the years. One incident after some strange credit events took me 6 weeks and a 25 page letter documenting errors that needed to be corrected. One bank supervisor during my ordeal candidly told me Experian always had the most errors, but they were the least expensive and that's why they were used so often. When you realize that errors on your credit report only allow providers to charge more fees - you can see why there's not much incentive for accuracy ... but that's another issue.
I'm wondering if anyone else is bothered by this massive hand-over of personal data to a company that, frankly, I don't trust to respect my privacy and not misuse the information. Granted, this doesn't affect operation of Social Security or payments - but with fewer field offices, this could affect many people's access to their information.
6:38 AM PT: Update: Here's another scary concern from comments (DRo):
"Offers two report types, full and partial, for clients with and without a Fair Credit Reporting Act (FCRA) permissible purpose"
... so further into private, non-regulated data?
Also: I wonder if this "data exchange" applied to only the 50 Million active SS benefit recipients ... or did the get access to ALL SS records? And I'll bet Experian did it for "free" (saved taxpayer $s!) for access to data that will be worth a goldmine to them!
3:07 PM PT: In response to a downstream "pie fight", I stand by my assumption that Experian explicitly states they have access to Social Security data:
"...people age 18 and older must be able to provide information about themselves that matches information already on file with Social Security. Then, Social Security uses Precise IDSM, Experian’s fraud detection and prevention platform, to securely authenticate and further verify the person’s identity."
The statement from Experian says they use "information already on file with Social Security". They then state that Social Security uses "Precise IDSM (tm, I assume)
, Experian's fraud detection and prevention platform" to further verify the person's identity.
We can assume that either SSA hands off to Experian for the ID verification, or that Experian is within SSA system to verify. Since the questions I've seen used so far are from the Experian Credit Reporting system only - I have to assume this happens on Experian secure servers.
If Experian explicitly states they use "information already on file with Social Security", then they must have that information on file and , by implication, on their servers. If they do not possess the individual information directly, then they are able to do some sort of secure, real-time SQL query - which also implies a level of access I am NOT comfortable giving to a company with the track record of Experian.
We can parse all we want to about what privacy policies exist and how they are being respected, but the bottom line is: Experian is now in bed with your Social Security data. Whether they have limited access to only certain records or some other hands-off arraignment to respect privacy rules is unknown. We cannot know without looking at the specific details of the contract, which is unlikely to be available to the public.
Someone needs to review this relationship who has consumer interests in mind (Calling Elizabeth Warren?). Credit reporting agencies have shown a disturbing tendency to disrespect the public's privacy when profits are at stake and new business opportunities present themselves. Knowledge is power; your data is the currency - when your financial well-being, your job application, your security clearance and your good name is at stake - who do you trust?
Thu Jan 24, 2013 at 2:22 PM PT: Last update: though I did't need to, I created an account since a few friends have not be able to get in. I was able to log in with little problem, but I was already prepared to research obscure personal data. Calls to Social Security indicate that this was put in place to help secure personal data living on their servers. Both Experian & SS statements seem to indicate there is some sort of "short lived" data exchange.
The jury is still out as to how data is transferred to/from Experian and whether they are simply an "extra step" front-end for creating an account via Experian's existing identity verification software and database. I fail to see how adding this outside vendor to filter account creation does ANYTHING to keep SS Admin data secure.