Following a breach of a subsidiary of the nationwide credit bureau Experian affecting 15 million customers and applicants of T-Mobile, a number of state PIRGs have joined other leading privacy and consumer groups in a request for investigations by the CFPB and FTC. Experian has admitted that the data breach included “names, addresses, Social Security Numbers and birth dates, as well as other information from 15 million T-Mobile customers and applicants.” We are concerned because, as we ask in the letter:
What are the differences in security measures that would allow hackers to access the information of T-Mobile customers but not the main credit report files? If there are differences, why weren’t the security measures used for the T-Mobile server? If there are no such differences, doesn’t this raise the troubling possibility that the servers holding highly sensitive credit and personal information of over 200 million Americans is vulnerable to a data hack by identity thieves?
Finally, as we pointed in our news release when we learned of the breach, a security freeze (also called a credit freeze) is the only way to stop new account financial identity theft, yet the breached firms are only offering weaker credit monitoring, so we also ask the regulators:
Is there any authority for the CFPB to require the nationwide CRAs to provide free security freezes to affected consumers? Are the CFPB and FTC willing to urge the nationwide CRAs to do so?
The letter is attached.