Examining LCBs Data Security Claims

NOTE: Since publishing this post last week, Landlord Credit Bureau has removed all references to being EI3PA compliant from its website without noting the change. So were they mistaken about being EI3PA compliant or did they deliberately mislead the public about their practices?

Here is what the FAQ section looks like now:

While reviewing a copy of the Frequently Asked Questions section of the Landlord Credit Bureau site for tenants something jumped out at me immediately when they began talking about data security.

A longtime concern of mine has been how LCB stores its data and to what extent it is compliant with existing standards for Information Technology security in general and sensitive payment data in particular. To date I’ve only seen vague claims of compliance with “regulatory bodies”.

With the discovery of the FAQ that LCB publishes on the tenant member section of its website we’ve found new claims they’ve made about data security that are extremely troubling. Let’s take a look.

Used under the Fair Use provisions of the DMCA for commentary and criticism

This is the first time I’ve seen LCB claim to be using a specific data security standard, an exciting development that I hoped would help answer some of the questions I had about their practices.

So what is EI3PA?

EI3PA stands for Experian Independent 3rd Party Assessment.

RSI Security explains further:

So on the surface it looks like EI3PA is a valid data security standard for the credit reporting industry, but there is a catch – the EI3PA is only for third parties doing business with Experian.

Who is Experian?

Experian is a competitor to Equifax and TransUnion. Notably they have not operated in Canada since April of 2009.

So why is Landlord Credit Bureau saying they are EI3PA compliant when this certification is only for doing business with Experian and they don’t do business with Experian? When it’s impossible for them to be doing business with Experian in Canada? Great questions. Presumably only Zac Killam knows how they are making this very specific claim of data security certification which is obviously not correct.

LCB is in business with Equifax in both its Canadian and US operations so they can’t even claim it’s for the US side of the business. It’s truly baffling.

Since we know they are doing business with Equifax, let’s just examine the data security standards that we know Equifax claims compliance with. We know a lot about the data protection standards Equifax has implemented because of an investigation into their security practices by the Privacy Commissioner of Canada following a data breach that saw the personal data of 143 million Equifax customers hacked in 2017.

The PCC report can be found here.

Here is a summary of the oversight mechanisms Equifax reported to the Privacy Commissioner:

The two main data security compliance models used by Equifax are ISO 27001, which is an Information Security Management certification and PCI DSS which is a certification system for payment card data security. No mention of EI3PA because it’s not a standard used by anyone but Experian.

What is true is that the EI3PA is basically the same program as PCI DSS, just tweaked for credit reporting and exclusive to Experian data aggregators. What is also true is that the Privacy Commissioner found that ISO 27001 compliance and PCI DSS compliance was insufficient in the case of Equifax for protecting customer data.

If we are expecting Landlord Credit Bureau to be at least as secure as Equifax – and we should considering they are handling the same kind of sensitive personal information and credit data – then at a minimum we’d expect to see ISO 27001 and PCI DSS certifications. So when LCB claims to be compliant in a security standard that is vendor-specific for a vendor that doesn’t even operate in this country I start to get very worried about the actual integrity of their data because it sounds an awful lot like they are just making it up. If they are willing to make up their data security compliance regime, what do you think their actual security practices are like?

Unfortunately the concerns don’t end here. Recall that their statement in the FAQ said that they “won’t go into detail here because we don’t want to share with hackers”. Not only is this just a really weird thing for a company tasked with storing credit information about you to say, it’s also the opposite of what open information security standards are about and not compliant with even the EI3PA program they claim to be compliant with.

Compliance regimes like ISO or PCI DSS rely on openly published standards that anyone with the time and inclination can go look up and evaluate for themselves. Obscurity is not security and thinking you are protecting yourself by not openly sharing your security standards is not an industry best practice, it’s a naive delusion.

The fact is, what security professionals the world over rely on is openly published and vetted standards and practices that are frequently presented as challenges to hackers. There are no big secrets in this world, just people who are diligent in their tradecraft and people who aren’t.

Worse in this case though is that LCB claims this EI3PA certification and part of getting this certification is having a detailed, openly published security policy.

Here is what Landlord Credit Bureau has published in public about their data security policies:

Used under the Fair Use provisions of the DMCA for commentary and criticism

None of this even mentions EI3PA or any other kind of data security certification.

Looking for more evidence of this EI3PA compliance I take note of the following from the RSI security websites breakdown of the standard:

The Landlord Credit Bureau tenant and landlord portal do not support multi-factor authentication. So once again, even if EI3PA certification was something relevant to LCB operations in Canada they would still not be compliant with the standard.

Another red flag that comes up is the EI3PA standard for avoiding vendor-supplied defaults. This is a common information security practice as many hardware and software vendors provide their wares with a bunch of default settings already enabled. Part of the discipline of information security is keeping these defaults from being exploited. This often involves disabling or otherwise altering the default setting so it cannot be easily exploited.

If you visit the following URL on the Landlord Credit Bureau website you will be taken to a login page that allows administrator access to the site (https://landlordcreditbureau.ca/wp-login.php). The LCB site is run by popular content management software called WordPress and they provide this URL as one of several defaults for admin logins.

Used under the Fair Use provisions of the DMCA for commentary and criticism

Consulting security best practices for implementing WordPress we find that one of the recommendations is securing this page:

Once again we can see that Landlord Credit Bureau is not compliant with the EI3PA certification standard. Nor would any of these issues see them in compliance with PCI DSS or ISO 27001. These observations should raise serious concerns in the minds of anyone who has their data being stored and used by Landlord Credit Bureau at this point. The Ministry of Government and Consumer Affairs needs to demand an audit into LCBs data security practices in order to restore public confidence.