US consumer privacy groups have called for a Federal investigation into Experian, following a major hack at the credit database firm.
Experian claims personal data on 15 million T-Mobile US customers was stolen in the breach.
But the Public Interest Research Group (PIRG), backed by 28 other bodies, fears the hack may have extended to the rest of Experian’s credit database.
This holds personal information about some 200 million Americans, it said.
“A data security breach that affected Experian’s credit report files would be a terrifying and unmitigated disaster,” it added.
The Experian breach occurred at Decisioning Solutions, a subsidiary of the credit agency which T-Mobile uses to process information on subscribers.
Names, birth dates and social security numbers were among data stolen, but not financial details, the firms said.
Experian has said the business was “completely separate” from its main credit bureau business, which was “not affected”.
But in a statement, PIRG’s consumer programme director, Ed Mierzwinski, urged both the Consumer Financial Protection Bureau and the Federal Trade Agency to investigate whether other Experian databases had been breached.
He said: “If the server holding the T-Mobile files was subject to fewer security protections than the full Experian credit reporting database, why?
“If it was subject to the same protections as the credit reporting server, doesn’t this raise the troubling possibility that the server holding highly sensitive credit and personal information of over 200 million Americans is vulnerable to a data hack by identity thieves?”
Prominent cybercrime journalist Brian Krebs has also raised concerns about Experian’s internal data protection policies.
In a blog, published on 8 October, he claimed to have interviewed “half a dozen security experts” who recently left Experian frustrated with its approach.
“Nearly all described Experian as a company fixated on acquiring companies in the data broker and analytics technology space, even as it has stymied efforts to improve security and accountability at the firm,” he said.
Experian data has been breached before – such as in 2012, when an attack on an Experian subsidiary exposed social security numbers of 200 million Americans.
This prompted an investigation by at least four states, including Connecticut.
Commenting on PIRG’s campaign, an Experian spokesman said: “Experian understands the concerns raised and we are prepared to respond promptly to requests from regulatory agencies for more details about the incident.”
He added: “Security is a top priority for the company, and Experian is committed to continuous investments in upgrading talent, processes, and technologies needed to protect our systems.”
He said the firm had invested of “tens of millions of dollars” in the last three years to strengthen its security.
A number of lawsuits seeking class action status are under way against T-Mobile and Experian, on behalf of victims affected by the breach.