Credit critique - A can of worms

Last week, I found out a fun thing. My country has not one credit bureau, but four.

That would seem bad enough on its own, but one of these is a private company operating all over Europe! All this started quite simply, I wanted to know who has my data. Can’t say I don’t know now, but it’s much more than I bargained for.

How I found out

I had a bright idea about two weeks ago: Ask my banks to give me all information they have on me. Thanks to GDPR, it should be easy. Just send an e-mail, they know it’s me, and done. They have 30 days to give me any and all information they have on me. Should have been easy.

When I looked at their site, they had a “who our data is shared with” section. In that section, I found four names I had never heard about before. My country apparently has three national credit bureaus and one private company. This company is not only in my country, but in multiple other countries as well.

The national institutions are something I may not have much say in, I don’t want to lie to the government, and getting my data removed may cause too many issues in the future (if it’s even possible at all, given my current financial interactions). But that one private company? They can fuck right off.

How the deletion is supposed to go

Once I knew who to ask, I looked up each of the companies in one big e-mail. The TL;DR was something akin to:

“Hi, I found out you have my data. How can I get at them and how can I freeze my credit report?”

I sent each company in the Bcc (because fuck writing stuff four times), and about four days later, I got an answer. A long-winded answer, to be exact, saying firstly:

“only people with access to the data have access to the data.”

(No, really? I would have never guessed.)

But they gave me some good news: There is no problem with me getting my data, they are more than happy to provide them to me, everything they have, and freezing my credit may not be difficult, either.

There is only one thing I have to do, and that is:

Upload my ID from both sides to their website so they can verify my identity.

I understand that that is expected in most cases, but I don’t suppose anyone would find that weird. After all, if they didn’t check IDs, anyone could get my data through GDPR, right?

The issue is that they already have my data. They pull it from banks (which I try not to lie to), so if they wanted, my e-mail should be enough! They have my phone number, no doubt, so why not use that?

The answer is: A whole lot of what-if’s. If someone gets my phone number/e-mail, they would be able to get it all! Luckily, the responsible person gave me a couple of alternatives:

  1. Go to a lawyer, fill out the PDF form, have my signature verified and send it by snail mail
  2. Fill out the form, sign and bring it physically to their location

As I’m not a fan of lawyers, I’m going to have to go with the second option, that is to go there myself and hand my stuff in. My ID will not be photocopied anymore.

Wish me luck with this, it may not be easy to find them and get them to accept my request.

One thing I omitted before is that this was an answer from the state institutions. The private company still did not get back to me. They did not respond to me at all (yet), but it’s been a week with no communication. I will keep trying, although these will probably prove much more difficult to track down.

Closing tips

If you’re in Europe, specifically the EU, you have GDPR to help. Think of GDPR as the crowbar that opens any door. Do your OSINT, most institutions have an e-mail address you can send your request to, and if that request is a properly formed GDPR query, they have 30 days to get back to you. The penalties are quite severe (or can be), so they probably won’t mess with you.

If after 30 days, you don’t get a reply (not even a “hey, do XYZ to get your data”), you can either use a scalpel or a hammer.

  • Scalpel: Find the highest positioned person in that corporation (the CEO, board of directors) and send them an e-mail, specifically requesting assistance. I have had success with this method, just call the person if you get their phone number and ask.
  • Hammer: Start a daily e-mail to them, their service provider, the board of directors, whoever. Put them all in the Cc, so they know the others got the mail too. By doing this daily (with an automated script, of course), you give them something to look at and after a while, one of them will cave in and give you information on where to go next, or what to do.

The third option is to show up physically at the institution, have them identify you (no ID scans, nothing goes in a computer except for a request), and have them call you when your report is ready. You can then pick it up at their office again.

As mentioned, the penalties are quite high, so they will not want to mess with you in that regard.

This only applies to companies where you are sure they have information on you: Your bank, your school, etc. The situation is quite different with organizations and companies where you are not sure if you’re even there. That is where I always tread carefully, and such is the case with these credit bureaus. I am 99% sure that they have information regarding my person. I have a bank account, after all. What I don’t know is how much they know about me. If I give them a scan of my ID and it turns out they didn’t have that before, I just gave out more information than I could potentially get. If I send them my ID and they have nothing on me, now they do! That is a place I do not want to get to.

Privacy is a double-edged sword, to keep it, you may have to give up certain luxuries. You may not be willing to sacrifice a certain luxury to gain more privacy, and I want to say that that is perfectly okay. I understand, I’m still weighing every pro and con. It makes no sense to disappear off the face of the Earth if it meant living a worse life than the one I have now. But I’m not doing this purely for myself, I want to document this journey for anyone who may be looking into their own privacy posture and not know where to start.