The Public Interest Research Group (PIRG), which is backed by 28 other bodies, has called for a Federal investigation into Experian, following a major hack at the credit database company.
Experian claims personal data on 15 million T-Mobile customers was stolen in the breach.
However, the PIRG fears the hack may have extended to the rest of Experian’s credit database.
This holds personal information about some 200 million Americans, it said.
The Experian breach occurred at Decisioning Solutions, a subsidiary of the credit agency which T-Mobile uses to process information on subscribers.
Names, birth dates and social security numbers were among data stolen, but not financial details, the firms said.
Experian has said the business was “completely separate” from its main credit bureau business, which was “not affected”.
However, in a statement, PIRG’s consumer program director, Ed Mierzwinski, urged both the Consumer Financial Protection Bureau and the Federal Trade Agency to investigate whether other Experian databases had been breached.
He said: “If the server holding the T-Mobile files was subject to fewer security protections than the full Experian credit reporting database, why?
“If it was subject to the same protections as the credit reporting server, doesn’t this raise the troubling possibility that the server holding highly sensitive credit and personal information of over 200 million Americans is vulnerable to a data hack by identity thieves?”
Prominent cybercrime journalist Brian Krebs has also raised concerns about Experian’s internal data protection policies.
In a blog, published on October 8, Brian Krebs claimed to have interviewed “half a dozen security experts” who recently left Experian frustrated with its approach.
“Nearly all described Experian as a company fixated on acquiring companies in the data broker and analytics technology space, even as it has stymied efforts to improve security and accountability at the firm,” he said.
Experian data has been breached before – such as in 2012, when an attack on an Experian subsidiary exposed social security numbers of 200 million Americans.
This prompted an investigation by at least four states, including Connecticut.
Commenting on PIRG’s campaign, an Experian spokesman said: “Experian understands the concerns raised and we are prepared to respond promptly to requests from regulatory agencies for more details about the incident.”
He added: “Security is a top priority for the company, and Experian is committed to continuous investments in upgrading talent, processes, and technologies needed to protect our systems.”
He also said the Experian had invested of “tens of millions of dollars” in the last three years to strengthen its security.
A number of lawsuits seeking class action status are under way against T-Mobile and Experian, on behalf of victims affected by the breach.