Experian Faces Congressional Scrutiny Over BreachU.S. Senators Seek National Notification, Data Security Regulations
Three Democratic U.S. senators are demanding answers from the CEOs of Experian - one of the "big three" U.S. credit bureaus - and T-Mobile, after Experian recently warned that it suffered a data breach that exposed personal information for 15 million T-Mobile subscribers (see Experian Hack Slams T-Mobile Customers).
See Also: The Global State of Online Digital Trust
"We request that Experian's information security executives provide a detailed accounting to the committee regarding your investigations and latest findings on the circumstances that permitted unauthorized access to the personal information of so many Americans," U.S. Senators Richard Blumenthal, D-Conn., Bill Nelson, D-Fla., and Brian Schatz, D-Hawaii, say in a letter to the CEOs. "We expect that your security experts have had enough time to thoroughly examine the cause and impact of the breach and will be able to provide the committee with detailed information."
T-Mobile did not immediately respond to a request for comment, but Experian tells Information Security Media Group that it will field the senators' request. "Experian has received the letter and understands the concerns raised," says spokeswoman Susan Henson. "We will respond accordingly to their request for details about the incident."
The senators set no deadline for Experian to furnish the required information. The legislators said the breach and identity theft threat now facing 15 million consumers "demonstrates the need for legislation that addresses both consumer notification and sets minimum security requirements for companies that collect and store such sensitive consumer data." To date, however, Congress has failed to pass any such laws.
Still, the senators' questions have broad relevance, because Experian, according to its 2015 annual report, stores credit-related information for 890 million consumers.
Nor is this the first time that Experian has suffered a data breach. The breach expert known as "Dissent" claims there have been at least 109 Experian breaches in which clients' log-in details were misused, plus an unknown number of cases in which attackers impersonated consumers to steal their personally identifiable information. The misuse of data from Experian's Court Ventures subsidiary resulted in a Vietnamese fraudster offering "for sale millions of stolen identities of U.S. citizens to more than a thousand cyber criminals scattered throughout the world," according to the U.S. Department of Justice, which successfully prosecuted the fraudster, who was sentenced to a 13-year prison term in July (see ID Theft Case: Experian Faces Lawsuit).
Still, the senators' request belies that Experian has continued to release breach-related details. Spokeswoman Henson recently told Dissent: "Our investigation shows the activity took place over a number of days in mid-September, not two years as was reported by some media outlets." She added that Experian first discovered the breach on Sept. 15, quickly locked down affected systems, and then set up related telephone and website support channels and alerted customers to the breach on Oct. 1.
Experian says it does not know who was responsible for the attack, and that it is continuing to work with law enforcement agencies to investigate the breach. It also notes that no payment card data was stolen, but names, dates of birth, Social Security numbers and other personally identifiable information were exposed in the breach. While some of that PII was encrypted, Experian says it believes the encryption was compromised.
But Experian has yet to explain exactly how the breach occurred, although in an Oct. 8 update to its breach FAQ, it says that it removed malware and "improper connectivity," isolated the affected server, increased its monitoring of servers, reviewed its Web application firewalls to ensure they're working as intended and overhauled its use of encryption keys. "We have taken immediate steps to harden our environment, the company says in a statement. "We continue to work to validate that our security measures and practices stand up to the high standards to which we hold ourselves."
But T-Mobile has slammed Experian - which under U.S. credit-check laws was required to retain the subscriber data for 25 months - for losing control of that PII, and it has threatened to dump the credit bureau. "All of our vendors are contractually obligated to abide by stringent privacy and security practices, and we regularly conduct reviews of vendor security practices as necessary," T-Mobile says in a breach FAQ. "That was no different with Experian."
Second ID Theft Option
In the wake of the breach, T-Mobile announced that Experian would be providing identity theft monitoring services for the 15 million affected consumers. Information security consultant Brian Honan - among other security experts - highlighted in a recent SANS Institute newsletter the irony of T-Mobile offering its customers "two years free identify theft monitoring from Experian, the company that lost the customer information in the first place."
T-Mobile USA CEO John Legere, however, appears to have heeded the criticism. Now, besides Experian's ProtectMyID servce, T-Mobile is also offering TransUnion's CSID service as an alternative, although it is available only by calling Experian's telephone support site, rather than via its dedicated T-Mobile breach website.
I hear you re: Experian as service protection option. I am moving as fast as possible to get an alternate option in place by tomorrow.ï¿½ John Legere (@JohnLegere) October 1, 2015
Experian Disputes Dark Web Report
To date, it's unclear whether fraudsters have been cashing in on the T-Mobile data stolen from Experian following the mid-September breach. On Oct. 3, however, Irish fraud-prevention startup Trustev told news outlet Venturebeat that it had seen information being sold on fraudster forums that might be stolen T-Mobile subscriber data. "Once fraudsters get their hands on data, they typically unload it very quickly," the Trustev spokesperson said, noting that the "fullz" - referring to complete sets of PII for individuals - appeared Oct. 2 on fraudster forums. "It's not definitely T-Mobile/Experian, but it's extremely likely considering the type of data and timing," the spokesman said.
But some similar past pronouncements issued by Trustev have turned out to be incorrect, and Experian says it has yet to see this report corroborated. "At this point, the reports of information from this incident being posted for sale on the dark web have not been confirmed by Experian," company spokeswoman Henson says. "Our security team continues to closely monitor and investigate the validity of this claim. Sadly, this type of unsubstantiated rumor on sales of the data from the dark web community causes unnecessary fear among the public."