Credit bureau Experian is being sued by the city of San Diego for what the city says is the companies failure to notify consumers of a data breach.
One of the issues surrounding private companies and data breaches is the fact that some companies are reluctant to notify their customers that their personal data has been compromised. The motive is typically money and sometimes to retain a good reputation as well. This, of course, isn’t just a theoretical scenario. If the city of San Diego proves their case in court, it will be a concrete example of this happening.
This story went public around 2015 when reports surfaced of a data breach occurring at Experian. As a result of the breach, 15 million people’s personal information was compromised – or so it was known at the time. From one report at the time:
credit bureau and consumer data broker Experian North America disclosed Thursday that a breach of its computer systems exposed approximately 15 million Social Security numbers and other data on people who applied for financing from wireless provider T-Mobile USA Inc.
Experian said the compromise of an internal server exposed names, dates of birth, addresses, Social Security numbers and/or drivers’ license numbers, as well as additional information used in T-Mobile’s own credit assessment. The Costa Mesa, Calif.-based data broker stressed that no payment card or banking details were stolen, and that the intruders never touched its consumer credit database.
Based on the wording of Experian’s public statement, many publications have reported that the breach lasted for two years from Sept. 1, 2013 to Sept. 16, 2015. But according to Experian spokesperson Susan Henson, the forensic investigation is ongoing, and it remains unclear at this point the exact date that the intruders broke into Experian’s server.
Henson told KrebsOnSecurity that Experian detected the breach on Sept. 15, 2015, and confirmed the theft of a single file containing the T-Mobile data on Sept. 22, 2015.
Fast forwarding to today, it seems the city of San Diego believes the credit bureau did not disclose the breach to consumers. As such, the city is suing the company on behalf of affected citizens, 250,000 in all. From SC Magazine:
The city of San Diego is suing Experian over the data breach that compromised millions of records including those of 250,000 people in San Diego.
San Diego City Attorney Mara Elliott filed a lawsuit against the firm claiming the consumer credit company failed to notify customers of the breach, as required by California law, and ordering the firm to pay for identity protection services to those affected, according to the San Diego Union-Tribune.
The lawsuit estimates that 30 million consumers could have had their information hacked and cited the Internal Revenue Service’s findings that hackers filed more than 13,000 false returns using the hacked information, obtaining $65 million in fraudulent tax refunds.
The report goes on to say that the damages can easily range into the millions because each violation carries a fine of $2,500. If true, some quick math can put the fine at roughly $625 million assuming each person counts as one violation.
The allegations have not yet been proven in court.
Drew Wilson on Twitter: @icecube85 and Google+.
