Experian is struggling to shake off the controversy over its US data breach with calls for a full federal investigation into the issue, and a leading British academic warning that the current security measures of all big data giants are flawed.
The move follows demands that chief executive Brian Cassin should be ousted after the hack which saw the personal details of more than 15 million US T-Mobile customers exposed.
Led by the Public Interest Research Group (PIRG), more than 25 national and state consumer privacy organisations have joined forces to urge the US Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) to find out what went wrong, and ensure that it never happens again.
Stolen details include names, birth dates, social security numbers, driving licences and passport details, although the firm insists financial information was not affected. It has also been at pains to stress that T-Mobile was the only Experian customer to be affected.
But PIRG consumer programme director Ed Mierzwinski said: “If the server holding the T-Mobile files was subject to fewer security protections than the full Experian credit reporting database, why?
“If it was subject to the same protections as the credit reporting server, doesn’t this raise the troubling possibility that the server holding highly sensitive credit and personal information of over 200 million Americans is vulnerable to a data hack by identity thieves?”
Meanwhile, John Walker, visiting Professor at the School of Science & Technology at Nottingham Trent University, has warned that the Experian breach could be just the tip of the iceberg.
In a blog post on the Infosecurity website, Walker wrote: “Any data warehouse in the image of Experian, and of course other such agencies in the credit referencing industry, will host high volumes of potential and attractive targets upon which cyber-criminality will attempt to feed.
“And given the multiple third party relationships, and the necessity to provision access to compartmented data-sets to the paying user clients, there would seem to be a high potential of associated exposure.”
He cites 2012 figures which claimed Experian had suffered breaches against its databases no less than 80 times, with one claiming that almost 15,000 credit reports were pilfered, while it has also been found guilty of selling around 200 million identity records were known criminals.
“[Companies] must go that extra mile to both prove, and to demonstrate they are appropriate custodians of such sensitive data-sets – and by inference must be in a position to evidence that they deliver the security mission beyond all reasonable doubt – here the definition of adequate is simply not fit for purpose.”
He added: “This company, like many others, has missed one fundamental point of potential exposure – Open Source Intelligence. There is still a gap in the world of cyber security understanding of the wider ramifications of what Open Source Intelligence is, and what it can really mean to a cyber-criminal or hacker who may discover, acquire, and exploit snippets of subliminal data leakage.
“For instance email addresses, user IDs, PC names, IP addresses, local folders and so on are potentially hosts of open source, publicly available snippets of intelligence that may also be used to socially engineer the target.”
Related stories
Court rejects Experian data theft case
Breach fuels call to fire Experian boss
Experian guns for chief over theft
Experian bomb threat man charged
