Experian, a vendor which processes T-Mobile’s credit applications, has been breached, putting 15 million T-Mobile customers at risk. Innocent users have had personal information such as their name, address, and date of birth exposed to the criminals. In addition, encrypted fields in the hacked databases including “social security number and ID number (such as driver’s license or passport number)” may be at risk. Security experts from Vasco, Tripwire, ESET, Intercede, Cyrptzone and Former FBI Special Agent, Nuix and Lieberman have the following comments.
[su_note note_color=”#ffffcc” text_color=”#00000″]Ken Westin, Senior Security Analyst at Tripwire :
“Wireless carriers have long been a hot target for hackers due to the wealth of information they store on their customers. It should not be a surprise that we see cybercriminals targeting business partners as they can prove to be easier targets than the carrier themselves.
This should be a wake up call for the carriers and their business partners to be on guard as we usually see these types of attacks occur in clusters within a given industry.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Tim Erlin Director of IT Security and Risk Strategy at Tripwire :
“It’s tempting to consider this breach a lesser risk because no credit card data was compromised, but the loss of this type of personal information can lead to identity theft. It can be both difficult and costly for consumers to recover when their identity is stolen.
While this is certainly not good news for those affected, the fact that no other customers of Experian’s appear to be compromised indicates that they’re segregating the data in a way that limits exposure. Breaches are a fact of life these days, and limiting damage is an important part of a comprehensive protection strategy.
It’s rare to see a breach where the details don’t change after the initial announcement. We’re likely to see more information from both T-Mobile and Experian in the coming days as investigations proceed.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Mark James, IT Security Specialist at ESET :
What are the risks for customers?
“This data may be used in targeted phishing attacks to get more useful data that could also be used for identify theft or other malicious purposes. We all know how to handle that random caller or email that tries to scam us with a half-hearted attempt at gaining our trust but if they are armed with some kind of information that is true along with some knowledge of our explicit data (names, addresses) that trust could be the stepping stone to a successful scam being completed.”
Is it likely that the number of people found to be affected will go up?
“Yes almost certainly, data will be circulated and used elsewhere for ongoing spam or malware campaigns. All data has a value and we need to understand that any information can be used for malicious reasons.”
Tips for customers?
“Be vigilant against people calling or emailing with sporadic bits of information in an attempt to gain more data about you. Change your passwords NOW, also remember that you can use different bits of information when filling out forms or applying for web page access, you don’t need to tell the truth about your favourite colour or your first dog’s name. Speak to your bank or financial organisation so they are aware and if still concerned sign up for a reputable credit checking organisation to keep an eye on your credit activity. Lastly keep an eye on your bank statements especially small sporadic payments that are classed as “under the radar” that sometimes can be used to test your bank details.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]John Gunn, VP of Communications, VASCO Data Security International :
“Experian says no credit card data was acquired “only” personal data including social security numbers as though this is positive news. You can get a new credit card in as little as 24 hours, but you can never get a replacement social security number. It is the hacker-gift that keeps on giving for the rest of the victim’s life.
“Experian coughs up the Social Security numbers of 15 million people and then turns it into a marketing tool to sell the victims their $16 a month identity theft protection service.
“The major MNOs such as T-Mobile have the potential to become the next wave of identity brokers for the mobile generation. This would place them in direct competition with Experian, the company that just did more damage to their reputation than any competitor could ever hope for.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Richard Parris, CEO at Intercede :
“The news that 15 million T-Mobile customers have been affected by a data breach at Experian should be a wakeup call for all telcos. In an independent survey of 2,000 16-35 year old consumers (dubbed ‘Millennials’), it was revealed that only four percent of Millennials put complete trust in their telecommunications operators. 15 percent of respondents place no trust in their operator, 25 percent place ‘a little’, 37 percent place ‘some’, and just 19 percent place ‘a lot’.
“Given this, it is evident that the telecommunications industry has a lot of work to do in order to restore consumer faith. Protecting customers’ private data should be a top priority for any organisation. Failure to demonstrate that adequate safeguards are in place could result in customer churn to a competitor.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy at Lieberman Software :
What should companies do to secure the data they are giving to vendors?
“Breaches like the most recent at Experian that has exposed 15M T-Mobile customers will happen regardless what organizations do. Perfect security is not possible. The best thing that organizations can do to protect themselves is make sure they build the likelihood of breach into their contracts and operations. When another company gets robbed of your data, there should be a clear course of action and agreed on responsibilities for both organizations. Much like the notion of acceptable loss in retail, where firms know some merchandise will be lost to thieves and bad employees, organizations must run their operations assuming breach will happen sometimes and have well defined recovery plans.”
What should affected customers do?
“The only thing T-Mobile customers whose data has been swept up in the Experian breach can do is continue – or perhaps start – to live as if their data is now public knowledge. That means keeping a very watchful eye on transactions and being doubly suspicious of those who comes calling to “help.” Ironically, many turn to firms like Experian in these times to check if their data is being abused.”
Any other comments?
“This is at least the 3rd reported breach of Experian’s systems since 2013. That goes a long way to support the idea that the bad guys are professionals trying to get everything they can as often as they can. A company like Experian to whom other massive firms like T-Mobile hand over huge volumes of data is a natural target for attack. This is why the old (but apocryphal) story says that when they asked the thief why he robbed banks he said “Because that’s where the money is.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Leo Taddeo, CTO Cryptzone and Former FBI Special Agent in Charge Cyber/Special Ops :
This hack is interesting because the report says Experian told T-Mobile that the encryption protections may have been compromised. It would be very important for other network operators to know how that happened.[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Christopher Pogue, SVP, Cyber Threat Analysis, Nuix :
“The interesting bit is not “if” the FTC, SEC, and FCC will get involved, but WHEN they do. Whose authority will trump the others? Based on the ruling of the Third Circuit, it seems that the FTC will have the upper hand, but we’ll have to see. Regardless of which regulatory agency prevails (and there may be more than one) the impetus will be on Experian to prove that they exercised a “reasonableness” of care. Which is also interesting, since it’s a bit of a moving target; none of the regulatory agencies have clearly defined “reasonable”, so Experian’s ability to establish their cybersecurity practices met this elusive standard is pretty low. Based on my experience, and the direction of post breach litigation, Experian is in a very bad place.
The implications for Experian are multi-faceted. There WILL be a class action lawsuit (perhaps several), there are 47 different state breach disclosure notifications laws that will require compliance, 14 different Attorney’s General that will need to be notified, and there will be at least one inquiry by the FTC, SEC, and/or FCC (likely all three). Not to mention they will be responsible for paying any sort of regulatory fines (which there will be plenty of), fraud reimbursement of any victims, credit monitoring services (which interestingly enough by its very presence meets the requirement to show the damages necessary to proceed with class action litigation), and the directors and officers could face negative action by the SEC. There is also brand damage, loss of customer confidence, and loss of market share.[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Pierluigi Stella, CTO, Network Box USA :
“I find it of extremely poor taste that the CEO of T-Mobile would bash Experian in such a public manner.
Do you want to lash out in private with their CEO? Go for it; yell, scream, kick a chair, throw a tantrum. But please, keep your cool in public. Maintain a professional composure. I’m sure they didn’t release your data to the public voluntarily; and I’m certain they take security as seriously as you say you do. Just because you haven’t been breached directly yet, doesn’t give you the right to shout this way. Especially because the most likely scenario is that you’ve been breached, and you don’t even know it yet. At least, they found out and stopped the leak!
As for the breach itself, it’s clear we don’t seem to know what we’re doing, and hackers have the upper hand. They appear to get in and out of networks at will. Perhaps when the culture of every company becomes more accustomed to security, when security becomes the norm rather than the exception, the hackers will start having a harder time. But for now, they’re winning, and heavily. And don’t blame it on the techies, don’t fire the CSO, don’t go spending a billion dollars on another super IPS. Spend money on the human aspects of hacking; educate your users and make them more aware of the issues they can cause when they click without thinking!”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Igor Baikalov, Chief Scientist, Securonix :
“The good news is that Experian has learned from the 2012 breach at its subsidiary that exposed 200 million consumer records – Social Security and ID numbers (driver license or passport number) in the most recent breach were encrypted. The bad news is that this encryption may have been compromised too. Ironically, Experian’s own Data Breach Resolution brochure, that summarizes lessons from the case studies, insists in its Lesson #1: Encrypt, Encrypt, Encrypt that ‘not everyone in your organization needs to know the key to unlocking the encryption.’
Apparently, leaving that key on the same server that contained encrypted data was not a great idea. An offer of credit protection from the credit bureau that was just breached is not that appealing either.
Considering that the identity of average American has been stolen at least 2.5 times over the last 10 years, the value of Social Security or driver license numbers as an authenticator is about as good as a ZIP code. Since we cannot protect this data, let’s at least devalue it by switching to random numbers, or smiley faces, or something.”[/su_note]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.