A coalition of consumer groups want U.S. regulators to investigate the cyber theft at a unit of the credit bureau Experian that exposed the accounts of 15 million T-Mobile customers.
Backed by more than 25 national and state consumer privacy groups, U.S. Public Interest Research Group (PIRG) wants the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) to fully investigate the data breach, which was made public earlier this month.
“As you know, Experian is one of the three nation wide consumer reporting agencies (CRAs), each holding data on over 200 million consumers,” the consumer groups write in a letter to the FTC and CFPB. “A data security breach that affected Experian’s credit report files would be a terrifying and unmitigated disaster.”
Experian, which gathers vast amounts of very personal information on all Americans, said hackers did not access other data beyond the T-Mobile customer files. But consumer advocates are not completely convinced and want a deeper accounting of the cyber theft to ensure that Americans’ credit files were not breached.
The more than two dozen consumer groups are joined by U.S. Sens. Richard Blumenthal (D-Conn.), Bill Nelson (D-Fla.), and Brian Schatz (D-Hawaii), who are also demanding inquiries into the T-Mobile/Experian hack.
The senators referred to the breach as “extremely troubling … given the sensitive nature of the compromised personal data, and its particular value to identity thieves,” according to separate letters sent by the lawmakers to T-Mobile CEO John Legere and Experian chief Brian Cassin.
Experian has conceded that the breach included “names, addresses, Social Security Numbers and birth dates, as well as other information from 15 million T-Mobile customers and applicants.”
Here are the questions that the consumers groups are posing to federal regulators, according to their letter:
1) Was there a violation of the data safeguard rules under the Gramm-Leach-Bliley Act? What kind of data security standards is the CFPB requiring for the nationwide credit reporting agencies (CRAs) as part of its supervision of them as ‘larger participants’, and was there a violation of those standards?
2) What kinds of decision-making does this (Experian) subsidiary provide? It appears to aggregate information used in credit transactions involving a consumer. How is its practice distinguishable from the sale of credit reports under the Fair Credit Reporting Act (FCRA)?
3) What kind of sharing of “header” or other credit information occurs across various Experian business platforms?
4) A separate Experian page (http://www.experian.com/marketing-services/partners.html) lists a variety of marketing partners. How does Experian firewall information contained in the credit report database differently from any information provided to these myriad partners?
5) What are the differences in security measures that would allow hackers to access the information of T-Mobile customers but not the main credit report files? If there are differences, why weren’t the security measures used for the T-Mobile server? If there are no such differences, doesn’t this raise the troubling possibility that the servers holding highly sensitive credit and personal information of over 200 million Americans is vulnerable to a data hack by identity thieves ?
6) Is there any authority for the CFPB to require the nationwide CRAs to provide free security freezes to affected consumers? Are the CFPB and FTC willing to urge the nationwide CRAs to do so?