Photo: Getty

Remember all that trouble you went through to freeze your credit report after the massive and unforgivable Equifax hack? Turns out it was all for nothing, as security writer Brian Krebs reported Wednesday that the same company responsible for compromising the security of nearly two-thirds of the adult population of the United States also operates a secondary credit bureau that’s affected by a major, easy-to-spot security vulnerability.

The shady-looking credit reporting institution is the National Consumer Telecommunications and Utilities Exchange (NCTUE), and it’s been operating outside the walls of the Big Three credit bureaus of Equifax, Experian, and TransUnion that we typically hear about.

The NCTUE was established in 1997 by AT&T as a way to maintain records on payment and account history reported by telecommunications companies, cable operators, and utility service providers. Members of the NCTUE include AT&T; the New York Data Exchange, which has a partnership with Verizon; the California Utility Exchange; and Centralized Credit Check Systems, which has next to no web presence whatsoever and is shrouded in mystery.

Equifax operates both the New York Data Exchange and the California Utility Exchange. According to Krebs, the company best known for the data breach apocalypse last year is the sole contractor in charge of managing the NCTUE database, and the whole thing is hosted on Equifax’s servers, which does not inspire a whole lot of confidence.

If you’ll recall, not only did Equifax manage to suffer from an all-timer of a hack, but it also followed it up with one of the worst-executed damage control campaigns imaginable. The site the company set up for consumers to check if they were affected by the breach asked for six digits of the visitor’s Social Security number, then told people their data was exposed no matter what they entered. The website itself was also vulnerable to hacking, not that it really mattered all that much seeing as Equifax sent people to a phishing site set up to look just like the real one.

Advertisement

This is the company in control of consumer information stored in a database that has thus far avoided the spotlight placed on credit reporting firms by last year’s breach. Krebs wrote that with a call to the NCTUE hotline and information like a person’s social security number and the numeric part of their home address—information pretty readily available online now, thanks to Equifax—it’s possible to order a credit report from the lesser-known bureau.

It is possible to freeze your credit score through NCTUE as well, but it’s not all that easy. Krebs describes the online process for placing a freeze on NCTUE reports as “completely borked at the moment.” Oh, and the site has an invalid SSL certificate, which means communications with the site are not encrypted and secure. So there’s that!

It is possible to place a freeze on your credit report through NCTUE by calling the 1-800 hotline at 1-866-349-5355, though be warned that you might incur a fee for the process.

Advertisement

[Krebs on Security]