Today, Experian disclosed another data breach. This one affected 15 million customers of T-Mobile USA, for whom Experian hosts consumer data used for credit checks for new accounts.
In tweeting my frustration about this latest incident, @emptywheel suggested I post the complaint I filed with the FTC about Experian in 2012. After some thought, I’ve decided to do just that.
As background: in April 2012, this blogger filed a complaint with the FTC about two patterns of data breaches reported by Experian. One type of breach involved their clients’ login credentials being misused to access their credit report database(s). The other type of breach involved people being able to authenticate as consumers and access the credit reports for those consumers.
At the time I filed the complaint, I was aware of 72 data breaches reported by Experian to state attorneys general in the handful of states that had centralized breach reporting. Of those 72 reported breaches, 62 involved misuse of client login credentials. Jordan Robertson of Bloomberg also subsequently reported on the breaches.
Since April 2012, I have continued to update the FTC by e-mail as more breaches have been reported (and cf, this post). As of my last update to the FTC, there were now reports by Experian of 109 data breaches where clients’ login credentials were misused, plus additional breaches where unknown individuals were able to authenticate as consumers to access their credit reports.
And that doesn’t include the Court Ventures mess, which also involved Experian.
So if you’re a T-Mobile USA customer who’s ticked off at Experian over this newest data breach, maybe you should join me in asking the FTC what, exactly, they’ve done with respect to Experian and enforcing data security to protect consumers. They certainly can’t claim they didn’t know and weren’t warned that there were concerns, because here’s the complaint (pdf) they received in April, 2012.