PG&E was publicly exposing partial SSN information of US consumers through its use of Experian Identity Verification questions.

Lucky225
7 min readOct 1, 2022

I recently discovered PG&E will let you sign up for electricity online without providing your SSN. Their website offered an option for “Alternate Identification”, so I chose it and proceeded to sign up for service. The only thing required was your name, “alternate mailing address”(i.e. your current address), and a State ID, Passport or similar photo ID number as shown below.

PGE.com sign up page with Alternate Identification option selected
PGE.com sign up page with Alternate Identification option selected

I knew through experience the ID number was likely not checked, and I verified this fact later. A reporter I was working with on this story also independently verified just throwing 123456789 as a Passport number bypassed the ID number check and that it was only verifying mailing address and name alone.

PGE.com’s sign up page ID type section showing Passport > USA selected with number 123456789
PGE.com’s sign up page ID type section showing Passport > USA selected with number 123456789

After providing PGE.com’s sign up page with a name, address and Photo ID number (which ID number goes unchecked and unvalidated), upon clicking Next you would be met with Experian’s Identity Verification questions. In our testing with the consent of various individuals, every single time prior to publication of this story while still live on PGE.COM, the first question…

--

--

No responses yet