PG&E was publicly exposing partial SSN information of US consumers through its use of Experian Identity Verification questions.
I recently discovered PG&E will let you sign up for electricity online without providing your SSN. Their website offered an option for “Alternate Identification”, so I chose it and proceeded to sign up for service. The only thing required was your name, “alternate mailing address”(i.e. your current address), and a State ID, Passport or similar photo ID number as shown below.
I knew through experience the ID number was likely not checked, and I verified this fact later. A reporter I was working with on this story also independently verified just throwing 123456789 as a Passport number bypassed the ID number check and that it was only verifying mailing address and name alone.
After providing PGE.com’s sign up page with a name, address and Photo ID number (which ID number goes unchecked and unvalidated), upon clicking Next you would be met with Experian’s Identity Verification questions. In our testing with the consent of various individuals, every single time prior to publication of this story while still live on PGE.COM, the first question…
