When you’re training staff, you want them to get an idea of what their job will really be like. But that doesn’t mean you have to populate your manuals with actual customer data.
On Tuesday, credit giant Experian seemingly removed a selection of training manuals from one of its websites after Motherboard told the company they contained apparent customer data. One of those documents included the alleged credit score and other sensitive information from one business in Orange County, California.
“Customer data, likely real, accessible to the entire internet on Experian’s sites. Unacceptable,” the security researcher known as notdan tweeted on Tuesday, along with redacted screenshots of, and a link to, the exposed information.
Motherboard confirmed that the business name, address and contact information in the document refers to a real restaurant in Orange County. The business did not respond to a request for comment.
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on This email address is being protected from spambots. You need JavaScript enabled to view it., or email This email address is being protected from spambots. You need JavaScript enabled to view it..
Further down in the document, it includes the alleged “Experian Score” of the business, as well as its “Intelliscore Plus,” information that some clients presumably would prefer to not be publicly available. And even if this was not wholly accurate information, linking a phoney credit score to a specific, real business may not be appreciated by that particular customer.
“Intelliscore Plus predicts the likelihood of serious credit delinquency within the next 12 months based on business and/or owner/guarantor risk factors,” the document reads.
Experian did not respond to multiple requests for comment, but shortly after Motherboard contacted several company representatives, the part of Experian’s website hosting the documents went offline. At the time of writing, it is unavailable.
In 2015, hackers targeted Experian and stole data on 15 million T-Mobile customers who had applied for credit checks. The data included names, addresses, and social security, passport and driver license numbers.
Subscribe to our new cybersecurity podcast, CYBER.