If you’re a T-Mobile customer or applied for T-Mobile service at any point between September of 2013 and September of 2015 then you’re probably one of the 15 million customers compromised by the latest data breach at Experian. The credit monitoring company revealed that a data breach compromised one of its servers containing T-Mobile customer data.
A press release from Experian explains, “The data acquired included names, dates of birth, addresses, and Social Security numbers and/or an alternative form of ID like a drivers’ license number, as well as additional information used in T-Mobile’s own credit assessment. No payment card or banking information was acquired.”
The implication is that this is somehow good news. At least those pesky hackers didn’t get your credit card or banking information. One problem with that philosophy—you can cancel or change your credit card and banking information, but your name, date of birth, Social Security Number and other personally identifiable data are sort of permanent. In other words, it’s actually much worse to have personal data compromised than credit card or banking data and exposes victims to an indefinite threat of identity theft.
“It’s tempting to consider this breach a lesser risk because no credit card data was compromised, but the loss of this type of personal information can lead to identity theft,” agrees Tim Erlin director of IT security and risk strategy for Tripwire. “It can be both difficult and costly for consumers to recover when their identity is stolen.”
Mike Spykerman, Vice President at OPSWAT, warns, “Data breaches are on the rise since they are lucrative and relatively low risk. The T-mobile breach highlights the fact that attackers are now aiming for personal data instead of credit card information since identity theft brings in higher rewards. Unfortunately, as long as there is a market for stolen data, data breaches will continue to increase.”
“The information stolen from Experian can be combined with data from other sources and potentially used in sophisticated attacks. It’s become commonplace to offer credit monitoring to victims of a data privacy breach, but other attacks could fall outside the monitored time period,” said data loss prevention expert Gord Boyce, CEO of FinalCode, a file security firm. “While there is reference to Experian’s use of encryption for some data, this public disclosure would indicate that personal and identifiable information has, indeed, been exposed. The T-Mobile and Experian relationship illustrates the importance of tracking and auditing the use of sensitive and regulated data in different forms throughout its lifecycle and processing supply chain.”
Sadly, this is becoming common—not just data breaches in general, but specifically data breaches at Experian. “When you type “Experian” into Google, the suggested first result is “Experian data breach”, the next results are “Experian data breach 2014” and “Experian data breach 2013”,” exclaims Gavin Reid, VP of threat intelligence at Lancope. “Experian has experienced 3 major hacks in as many years! If this isn’t a wake-up call to take action, I don’t know what is.”
Tripwire’s Erlin also summed up the situation with a bit of wisdom. “It’s rare to see a breach where the details don’t change after the initial announcement. We’re likely to see more information from both T-Mobile and Experian in the coming days as investigations proceed.”
Ken Westin, a senior security analyst with Tripwire, adds, “This should be a wake-up call for the carriers and their business partners to be on guard as we usually see these types of attacks occur in clusters within a given industry.”
One word of caution for those affected or who think they might be affected. Experian stresses that customers should note that under no circumstances will Experian or T-Mobile call you or send you a message and ask for your personal information in connection with this incident. So be aware and watch out for related phishing scams.