Privacy organisations want a full investigation into the Experian T-Mobile hack

Why did the T-Mobile server have fewer security protections than the full Experian credit reporting database, asks Public Interest Research Group

US privacy organisations want a full investigation into the Experian data breach, which enabled hackers to get hold of data on 15 million T-Mobile customers.

Led by the Public Interest Research Group (PIRG), more than 25 national and state consumer privacy organisations have come together to ask the US Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) to find out exactly what went wrong, and ensure that it never happens again.

Stolen details include names, birth dates, social security information including drivers' licences and passport numbers, though apparently not financial details. T-Mobile was the only Experian customer to be affected as the server that was compromised only handled credit-check data for the US mobile network.

"If the server holding the T-Mobile files was subject to fewer security protections than the full Experian credit reporting database, why?" asks PIRG consumer program director Ed Mierzwinski.

"If it was subject to the same protections as the credit reporting server, doesn't this raise the troubling possibility that the server holding highly sensitive credit and personal information of over 200 million Americans is vulnerable to a data hack by identity thieves?" he asks.

Mierzwinski also suggested that since credit monitoring, which has been offered to victims by the firms, doesn't stop new account identity theft, that the CFPB could require the nationwide credit rating agencies (CRAs) to provide free security freezes to affected consumers.

These are just three of the questions and suggestions that the privacy organisations want answered through an investigation by regulators.

Last week, David Goldschlag, co-creator of the Tor secure browser, suggested that the hack showed that encrypting data isn't a "panacea" for keeping information secure from hackers.

"Experian differentiated between personally identifying information that was not stored encrypted, and credit card info which was stored encrypted - both were hacked," he said.

"It is likely that the hackers were able to decrypt the encrypted information too. So storing information in an encrypted form may not be the panacea that people expect," he warned.