IE 11 is not supported. For an optimal experience visit our site on another browser.

Consumer data stolen from credit bureau

Social Security numbers and other information about more than 3,000 consumers were stolen recently from credit bureau TransUnion.
/ Source: a href="" linktype="External" resizable="true" status="true" scrollbars="true"><p>The Washington Post</p></a

Social Security numbers and other information about more than 3,000 consumers were stolen recently from TransUnion LLC, one of three U.S. companies that maintain credit histories on individuals, in the latest of many security breaches that have focused congressional attention on identity theft and fraud.

The data were housed in a desktop computer that was stolen last month from a regional sales office in California, TransUnion said. On Oct. 21, the company sent 3,623 notices to consumers alerting them to the breach and offering free monitoring of their credit reports for a year.

Colleen Tunney, vice president of corporate affairs for Chicago-based TransUnion, said the computer was probably the object of the burglary, not the data. She said the information on the computer required a password to access.

Tunney said the company is investigating why such information would be stored on an individual computer in a regional office rather than on a secure corporate network.

TransUnion and the industry's other major companies, Experian North America Inc. and Equifax Credit Information Services Inc., are best known as the keepers of credit reports relied upon by businesses when consumers apply for loans, jobs, rental housing and other services.

But the agencies also are large data brokers, competing in some areas with ChoicePoint Inc., LexisNexis and other large information-sellers that have reported data breaches involving hundreds of thousands of consumers.

Congress is considering bills that would set national rules for notifying consumers whose data might have been compromised.

The data industry supports a standard that would require notification only if a company decides there is a substantial risk that a breach would result in fraud or identity theft.

Consumer advocates and state attorneys general support a stiffer requirement of notification in almost all cases.

Tunney said notification in this case was "the right thing to do." She declined to say if the notification would have been required if Congress passes legislation favored by industry.

The breach was reported this week by the Privacy Times newsletter.