Last week’s hack against Experian, which exposed details on millions of T-Mobile customers, has privacy advocates up in arms. Dozens of consumer advocate groups and privacy organizations signed an open letter to the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) urging them to launch an investigation into the breach.
“We believe this breach, occurring at one of the nationwide CRAs [consumer reporting agencies], takes this problem to a whole new and dangerous level given the extraordinarily large amounts of critical financial information they hold,” according to the letter. “Identity thieves could play havoc of an unimaginably huge scale with access to such data, with potentially devastating consequences to consumers, financial institutions, and the American economy.”
A Terrifying and Unmitigated Disaster
The breach first made news last week, when Experian announced that a hacker of hackers had stolen the records of 15 million customers and potential customers who had applied for T-Mobile services or credit from September 2013 through September 2015. Among the information were names, dates of birth, addresses, and Social Security numbers, although no payment card or banking information was stolen, according to Experian.
The groups, led by the U.S. Public Interest Research Group, have requested that the agencies investigate both the reported breach and whether any other Experian databases might have been compromised. Experian is one of only three nationwide CRAs, and holds data on more than 200 million individuals. “A data security breach that affected Experian’s credit report files would be a terrifying and unmitigated disaster,” the advocates said.
For its part, Experian is claiming that the breach only affected one server that is kept separate from its credit bureau business, and that the consumer credit database was not impacted. But the information that was stolen could still be considered protected personal information under the Gramm-Leach-Bliley Act, according to the privacy groups.
The letter called on the FTC and CFPB to investigate a number of different issues. In particular, the advocates want to know if Experian violated the data safeguard rules listed in Gramm-Leach-Bliley. This law requires that financial institutions explain their information-sharing practices to their customers and to safeguard sensitive data.
Another unanswered question is how Experian handles information from its partners, such as T-Mobile, differently from information contained in its credit report database. And if there are differences, why did Experian employ one set of safeguards for its credit bureau business and a different one for the T-Mobile customers? If there aren’t any differences, that could indicate that Experian’s other clients could be just as vulnerable to this sort of attack in the future, according to the privacy groups.
The privacy advocates also want to find out exactly what the CFPB is doing to regulate CRAs like Experian. CFPB is required to supervise CRAs as “larger participants.” The groups also encouraged CFPB and the FTC to require CRAs to provide free security freezes to customers affected by data breaches in the future.