Iowa and North Carolina said they are looking into a breach involving a subsidiary of Experian Plc that exposed some 200 million social security numbers, in addition to two states that previously announced investigations.
Separately U.S. Senator Claire McCaskill, a Democrat from Missouri, chided the company, saying she was concerned it had changed its explanation of how it was responding to the breach.
McCaskill told Reuters she was troubled to learn Experian has recently said it would not be able to notify people whose social security numbers were compromised in the scheme.
“It’s troubling that Experian would wait three months after testifying, only to change their story, all while victims who had their identities stolen remain at risk as a result of this crime,” McCaskill told Reuters via email.
A Vietnamese man last month confessed in federal court in New Hampshire to orchestrating the breach. He is due to be sentenced in June.
The man, Hieu Minh Ngo, admitted to using a false identity to open an account with a firm known as Court Ventures sometime before March 2012, when Experian bought the company. He used that account to conduct more than 3 million queries of a social security number database that Court Ventures made available to clients through an agreement with another company, U.S. Info Search, according to court documents.
An official in Iowa told Reuters on Tuesday that his state has joined a multistate probe of the case, which includes at least Illinois and Connecticut. He said the states will examine whether companies took adequate steps to protect private financial data, whether they notified victims in a timely manner and what they are doing to help consumers prevent harm to their financial well-being.
“Consumer protection laws generally provide the basis for our investigations,” said Bill Brauch, director of the consumer protection division of the Iowa attorney general’s office.
Brauch’s comments are the first to indicate the direction of the multistate probe as officials with Connecticut and Illinois have so far declined to discuss such details. It is not known which other states, if any, are formally investigating the breach beyond Connecticut, Illinois and Iowa.
A spokeswoman for North Carolina’s Attorney General, Roy Cooper, said on Tuesday that he was “concerned about the matter” and gathering more information, though his office had not begun a formal probe.
Experian spokeswoman Susan Henson said her company was cooperating with authorities, but that notification was up to U.S. Info Search because it owned the database that Ngo had queried through Court Ventures.
“U.S. Info Search is the company that owns the database, and only it has the ability to know what data was returned in response to Ngo’s inquiries,” she said. “Experian has attempted to engage U.S. Info Search to assist in identifying affected consumers.”
U.S. Info Search Chief Executive Marc Martin told Reuters that it was up to Experian to notify consumers.
“The suspect didn’t have access to our system and it was Experian that sold the data and collected the funds,” Martin said.
Meanwhile, McCaskill voiced her concerns regarding the breach and the company’s change in possibly handling the issue.
Experian Senior Vice President Tony Hadley had told McCaskill at a hearing of the Senate Commerce Committee in December that “We know who they are and are going to make sure we are going to protect them.”
Last week, Experian spokesman Gerry Tschopp told Reuters that Hadley “was addressing our general policy,” and not the specific case involving Ngo.
McCaskill told Reuters that the case underscored the need to pass a federal law mandating standard procedures for notifying victims of data breaches across all 50 states.
Henson said that Experian supports passage of such a law.