Senate Democrats press T-Mobile on data breach

Three Senate Democrats are seeking answers from credit agency Experian about the recent data breach that exposed up to 15 million T-Mobile customers.

Sens. Richard Blumenthal (D-Conn.), Bill Nelson (D-Fla.) and Brian Schatz (D-Hawaii) — all leading Democrats on the Senate Commerce Committee — wrote the two companies Wednesday, requesting information on how both firms were handling fallout from the hack.

{mosads}T-Mobile last week notified its customers that hackers had compromised encrypted data at Experian, which processes the telecom carrier’s credit applications, sometime in September. The digital intruders made off with sensitive data, such as Social Security numbers, and other ID data, like driver’s licenses numbers or passport numbers.

“This news is extremely troubling to us given the sensitive nature of the compromised personal data, and its particular value to identity thieves,” the senators said in the letter sent Wednesday to T-Mobile CEO John Legere and Experian CEO Brian Cassin.

“Unlike bank account numbers, which can be deleted as soon as a bank identifies fraud, Social Security numbers are hard to change and are tied to tax forms, credit cards, mortgages, bank accounts, health insurance, and medical records,” they continued. “By learning someone’s Social Security number, a criminal can obtain credit cards in a victim’s name, wire money from a victim’s bank account, or even access tax and medical records.”

All three senators behind the letter hold leadership positions on the Commerce Committee. Nelson is the top Democrat of the overall panel, Blumenthal the ranking member of consumer protection subcommittee and Schatz the top Democrat on communications and Internet subcommittee.

The committee has been considering a bill from Nelson that would set national data security requirements and require companies to notify customers of a data breach involving personal information within a set timeframe.

The Experian breach is just the latest in a slew of hacks that have rattled the private sector. Mega data breaches at Target, Home Depot, JPMorgan Chase and others have exposed hundreds of millions of Americans’ personal data.

“Experian and T-Mobile’s recent incident demonstrates the need for legislation,” the letter said.

Nelson’s bill mirrors a White House proposal on the subject, which would require breached companies to notify customers their information had been exposed within 30 days of discovering an intrusion. The measure would also establish minimum security guidelines for companies handling sensitive data.

But at least four other similar, yet competing, data breach bills are also circulating the upper chamber. Lawmakers have yet to figure whether to throw support behind one offering, or to combine their efforts.