Senators Demand Answers from T-Mobile and Experian Following Security Breach of 15 Million Customers’ Personal Data, Including Social Security Numbers

October 7, 2015

WASHINGTON, D.C. – Today, U.S. Senators Richard Blumenthal (D-Conn.), Ranking Member of the Senate Commerce Subcommittee on Consumer Protection, Bill Nelson (D-Fla.), Ranking Member of the Senate Commerce Committee, and Brian Schatz (D-Hawaii), Ranking Member of the Senate Commerce Subcommittee on Communications and the Internet, demanded answers from T-Mobile and Experian on actions the companies are taking to address the recent security breach that exposed the personal data, including social security numbers, of up to 15 million T-Mobile customers.

In letters to T-Mobile CEO John Legere and Experian CEO Brian Cassin, the senators stated that the breach is “is extremely troubling to us given the sensitive nature of the compromised personal data, and its particular value to identity thieves,” especially with the exposure of social security numbers. “Unlike bank account numbers, which can be deleted as soon as a bank identifies fraud, Social Security numbers are hard to change and are tied to tax forms, credit cards, mortgages, bank accounts, health insurance, and medical records…According to the Department of Justice, 64 percent of the 17.6 million victims of identity theft in 2014 experienced a direct financial loss resulting from personal information fraud. This is particularly distressing based on your companies’ reported breach, because victims of personal information fraud lost an average of $7,761 compared to victims of bank or credit card fraud who lost an average of $780.”

“We have been advocates for data security and breach notification legislation that would better protect consumers and improve corporate responsibility,” the senators continued. “Experian and T-Mobile’s recent incident demonstrates the need for legislation that addresses both consumer notification and sets minimum security requirements for companies that collect and store such sensitive consumer data.”

Full text of the letters is below.

Dear Mr. Legere / Mr. Cassin:

We write with regard to the recent reported data security breach at Experian, which may have exposed the names, address, birth dates and Social Security numbers of fifteen million T-Mobile customers.  This news is extremely troubling to us given the sensitive nature of the compromised personal data, and its particular value to identity thieves.  

Unlike bank account numbers, which can be deleted as soon as a bank identifies fraud, Social Security numbers are hard to change and are tied to tax forms, credit cards, mortgages, bank accounts, health insurance, and medical records. By learning someone’s Social Security number, a criminal can obtain credit cards in a victim’s name, wire money from a victim’s bank account, or even access tax and medical records. According to the Department of Justice, 64 percent of the 17.6 million victims of identity theft in 2014 experienced a direct financial loss resulting from personal information fraud. This is particularly distressing based on your companies’ reported breach, because victims of personal information fraud lost an average of $7,761 compared to victims of bank or credit card fraud who lost an average of $780.  

The Senate Committee on Commerce, Science, and Transportation has jurisdiction over commercial online practices and data security, and, as Ranking Members of the full Committee, the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security, and the Subcommittee on Communications, Technology, Innovation and the Internet, we have been advocates for data security and breach notification legislation that would better protect consumers and improve corporate responsibility. Experian and T-Mobile’s recent incident demonstrates the need for legislation that addresses both consumer notification and sets minimum security requirements for companies that collect and store such sensitive consumer data.  

We request that Experian’s information-security executives provide a detailed accounting to the Committee regarding your investigations and latest findings on the circumstances that permitted unauthorized access to the personal information of so many Americans. We expect that your security experts have had enough time to thoroughly examine the cause and impact of the breach and will be able to provide the Committee with detailed information.

Sincerely,