In the wake of revelations that credit bureau Experian sold consumer data to the proprietors of an underground identity theft service, a powerful U.S. senator is calling on the company to divulge more information on the extent of the potential damage to consumers.
West Virginia Senator Jay Rockefeller, a Democrat who chairs the Senate Committee on Commerce, Science and Transportation, on Wednesday sent a letter (PDF) to Experian demanding additional details about the security breach. Specifically, Rockefeller asked for responses to questions about Experian’s vetting process for its customers and current practices for sharing consumer data. The senator also urged Experian to fully respond to his related previous inquiries regarding Experian’s customers, its oversight of its disclosure to third parties, and Experian’s data sources.
“The committee’s investigation has focused to date on how companies including Experian collect and sell consumer information for marketing purposes, while the information Experian reportedly sold to identity thieves – such as Social Security numbers and banking information – appears to be data Experian collects and sells for risk assessment activities,” Sen. Rockefeller wrote in the letter to Experian President Donald Robert. “However, if these recent news accounts are accurate, they raise serious questions about whether Experian as a company has appropriate practices in place for vetting its customers and sharing sensitive consumer data with them, regardless of the particular line of business.”
The letter is a follow-up to an investigation that Sen. Rockefeller launched in October 2012 regarding several data brokers — including Experian — to understand how the companies collect, store, and share personal consumer data. According to the committee, Experian is one of several companies that has refused to fully respond to Rockefeller’s request for information – which Rockefeller discussed publicly in this letter.
That 2012 letter was sent to the three major credit bureaus, including Experian, Equifax, TransUnion. Rockefeller also queried Reed Elsevier, the parent company of data aggregator LexisNexis. Last month, KrebsOnSecurity broke a story showing that LexisNexis was among three other data brokers that had been hacked by a cybercriminal gang which operated a competing underground identity theft service — ssndob[dot]ms.
In a statement provided to The New York Times, Experian spokesman Gerry Tschopp said: “We have responded — and will continue to respond – in a very transparent manner to Senator Rockefeller.”
According to The Times, Sen. Rockefeller last month widened his probe, asking a dozen popular Web sites to provide information on their information-sharing practices with data brokers. The sites included in that inquiry were About.com, Babycenter.com, Bankrate.com, Health.com, Investopedia.com, Mensfitness.com and Self.com.
“While some consumers may not object to having their information categorized and used for marketing,” the senator wrote, “before they share personal information, it is important that they know it may be used for purposes beyond those for which they originally provided it.”