InfoSec People Profile: Experian’s Michael Bruemmer

By Roy Urrico

Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security (infosec), cybersecurity and/or information governance to protect data and transactions at credit unions, other financial institutions, and fintechs serving the financial services industry.

Michael Bruemmer has held a role in some information security/cybersecurity capacity of for over 25 years, with the last dozen plus years at Costa Mesa, Calif.-based Experian.

As the vice president of global data breach resolution at Experian, Bruemmer navigates intricate data breach scenarios and helps shape innovative solutions for crisis management. His duties do not stop there. “I also have the title of vice president of consumer protection. I'm a spokesperson for Experian when it comes to consumer protection, identity theft protection; any type of fraud or cybersecurity,” Bruemmer told Finopotamus.

Gaining and Passing on Cybersecurity Knowledge

Bruemmer, born and raised in Madison, Wis., said he “actually did two stints at college.” His first two years was at Wake Forest in Winston-Salem, N.C. He then finished at the University of Wisconsin at Madison, earning a bachelor's degree in economics and labor relations.

While working for PepsiCo, Bruemmer got his first IBM PC. “It was a (IBM PC Convertible) with a three-and-a-half-inch floppy disk drive. I had to actually go through a cybersecurity training on how to use the machine, connect it and do all that stuff. That's where my first real interest in cybersecurity came in.”

Bruemmer’s job now entails addressing between 4,000-5,000 data breaches globally annually. “My team will do the notification to consumers, whether it's email or letters, the call center services in any language. And then we provide the identity theft protection, as well as complete fraud resolution on the backend with our IdentityWorks product.”

Bruemmer’s team also focuses on minimizing the impact of data breaches for clients across various sectors. With his guidance, Experian has established cooperative partnerships that provide fraud resolution services, and reinforce consumer confidence and brand protection. “On the breach side of the business, we're the largest provider globally of the services that we do: consumer notification, (and) the call center and the identity theft protection.”  

Two other major pieces in post-data breach actions, explained Bruemmer, “would be the legal advice, which is outside counsel providing privacy and security recommendations to the client; and the forensics, which determines in the security incident who is impacted and what happened in the breach, and if it rises to the level of a notification.”

Bruemmer added, “We don't do the forensics. We partner with other people in the data breach response industry. We don't provide legal advice but we do the consumer notification…whether it's by letter, email, or even putting up a what we call a ‘substitute notice.’ We will work with them to craft that letter, make sure it has all the right information about what happened, why it happened, and what consumers should do to protect themselves. We provide a toll-free number for them to call and ask any questions about the breach.”

Practicing What They Preach

Bruemmer noted one of Experian’s core principles is “cybersecurity because of our position as a bureau and the data that we hold. I think about our posture, our chief information security officer, Sara Andrews, actually reports into our CEO and the board, which is a best practice. We follow all the ISO 27001 standards.” ISO/IEC 27001 (commonly known as ISO 27001) is the leading international standard that frameworks the necessities for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

“Security is a priority for every employee. In terms of data integrity and data protection, those are the number one things that all employees have on their annual training and in their focus in their job responsibilities,” emphasized Bruemmer. He added, “That's whether we're working with clients or consumers or regulators; making sure that we enforce all of those processes and regulations as part of our just ongoing business operations.”

Another core tenet at Experian, he said, is transparency and compliance. “So, transparency with all the data that we hold, particularly from a bureau perspective, but also the protection of that data.” Bruemmer explained that includes complying with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) as well. GDPR (European Union) and CCPA both mandate security measures to protect personal data, but differ in their requirements.

“Because we have to have the transparency as well as the protection, we balance that privacy with the use of the data to help consumers have financial freedom,” Bruemmer continued. “If you don't have cybersecurity, you don't have transparency, you do not have the protection all rolled into one, you can't accomplish that task working with the consumers that we work with both domestically as well as globally.”

Experian serves two different businesses, Bruemmer observed. “We are the holder of consumers' data and we provide fraud products. We will provide data analytics and other services, but then we have over 300 million records on consumers and provide credit advice, consumer protection advice, identity theft protection directly to consumers in our direct consumer offering. That's just the United States and the number's much larger because we have 16 other bureaus around the globe beyond what we have here in the U.S.”

Dealing with the AI Threats

Finopotamus asked: “What threats keep you up at night?” Bruemmer responded, “Well, unfortunately, 98% of all breaches are still caused by human error.” But he added a caveat by pointing to the release of Experian’s 13th 2026 Annual Breach Industry Forecast, which predicted artificial intelligence (AI) is going to change that.

“It's not going to be human error anymore. AI is taking over and supercharging the hacking efforts,” Bruemmer said. “One of the things that keeps me up at night is the fact that the hackers are getting much further ahead than the protectors of the data because of artificial intelligence; deep faked videos, audio, encouraging people to click on links even in their LinkedIn profile that you think is somewhat secure and safe, that actually are infiltrations of malicious malware.”

Bruemmer continued, “Keeping on the AI trend, we have six predictions in our 2026 report, and five of the six involved some sort of AI, but in particular, social engineering that is powered by AI. Whether you are a large enterprise or a credit union or small financial institution, it's faster, it's better, it's harder to detect.”

As an example, Bruemmer presented Tilly Norwood, not a real person but an AI-generated character created by the company Particle6, whose near-signing with a Hollywood agency generated wide-spread controversy. “She's trying to get featured in films and you can't as a human tell the difference between an AI generated image and a real human being.”

Other Concerns and Help

An additional threat is ransomware. “It's not just ransoming somebody for access to get your data unlocked or unencrypted, but it's second or third ransoms,” warned Bruemmer. “They may unlock your data, but they don't tell you that they made a copy of it. And then they'll say ‘we're gonna go ahead and dump this on the dark web if you don't pay us again.’ And then sometimes we've even seen some clients that have been asked to pay a third time.’”

Bruemmer discussed another concern, financial transfers, a particular vulnerability for credit unions. “That is business email compromise where hackers are posing as either a client or let's say the president of the bank saying to an employee, ‘please go ahead on my direction and transfer this amount of money to this particular account.’ And it's still happening at an effective rate. Again, more potent than ever before because of AI.”

Bruemmer also cited recent misconfigurations as leading to significant potential security problems for companies using Amazon Web Services (AWS) and network service provider Cloudflare. “Then last but not least, especially for your smaller credit unions, is the insider threat, which was below 5% in previous years, (but) is now approaching 10% because (cybercriminals) are following the money. They have access, they may have administrative user rights, and they're using it to go ahead and either commit a crime, take data, or do doing something else nefarious,” said Bruemmer.

Experian, he noted, “can not only help the consumer understand what they need to do,” but offer the option of enrolling online or over the phone. “Then once the person is in an identity theft protection product like our IdentityWorks suite of products, then we will alert them.

For consumers interested in protecting against data compromises, Bruemmer recommended the “Ask Experian” blogs for help with any financial credit related questions as well as visiting www.experian.com/databreach. “It gives you a literally a great laundry list of things to do. Change your passwords, contact your financial institution, turn on the alerts with your apps, how to contact both the local police (and) to file a police report or FTC report.”