T-Mobile Customer Data Leaked By Experian... And Faulty Encryption Implementation
from the well,-isn't-that-grand dept
This week's big data leak comes from mobile phone provider T-Mobile, who has admitted that someone hacked into credit giant Experian and got a bunch of T-Mobile customer data. The good news? The personal data was encrypted. The bad news? Experian fucked up the encryption and so it doesn't matter:We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.I happen to be a T-Mobile customer, and I look forward to the usual bullshit response of a year's worth of credit monitoring and promises that this will never happen again. You know, until it does.
As I've said before, I do worry about holding companies totally responsible for when they get hacked, because a determined adversary will hack into any company they want to eventually. That's just the nature of the game. But when the company appears to be totally incompetent to the point of being negligent, it seems reasonable to hold them responsible. I'm sure in the coming days we'll find out more details about how the "encryption was compromised" (and we'll also probably learn that it impacts many more people than originally claimed). But these new data breaches every week or so are starting to get ridiculous.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: customers, data breach, encryption, hack, security
Companies: experian, t-mobile
Reader Comments
Subscribe: RSS
View by: Time | Thread
Target has me covered.
I'm used to it. With all the credit monitoring I'm getting, I believe I'm now set for life plus 70 years.
[ link to this | view in chronology ]
Re:
I know this is tongue firmly in cheek, but if you are relying on credit monitoring services to keep you secure, you've already lost.
Better is to remove credit from the equation. Get rid of the big four credit reputation companies and the problem disappears immediately (well, except for the IRS, which still allows scammers to submit fraudulent tax returns based solely on publically available information, and it is pretty safe to assume that your SSN and other vital information is publically available by now.) Makes buying things on credit harder, but how many times do people actually do that in their lives.
Credit freeze is really the best way of doing this, and so long as it is implemented correctly (which, considering Experian is one of the four, and they have seriously fucked up here, that is a shaky assumption,) it makes things far more difficult for the scammers/criminals to use your information to steal stuff.
[ link to this | view in chronology ]
Re: Re:
I'm not saying that a credit freeze isn't a good idea, but it is something to be aware of for those considering that path.
[ link to this | view in chronology ]
Breaches that saw the light and got public you mean. right? What about breaches that were not disclosed to the public? Or worse, breaches that weren't even noticed?
I'm with you in the punishment part. Companies should be punished. Severely if there is evidence proving incompetence/negligence. And the Government shouldn't have more data on us than needed because it fits both criteria.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Like other industry specifications
maybe that is a crap analogy :)
[ link to this | view in chronology ]
Re: Like other industry specifications
[ link to this | view in chronology ]
What Me Worry
[ link to this | view in chronology ]
Is there actually....
I've got this nagging suspicion that ROT13 is stronger than whatever most of them use...
[ link to this | view in chronology ]
Re: Is there actually....
As someone joked online yesterday, Experian probably ran everything through ROT13 *twice* for "enhanced security." :)
[ link to this | view in chronology ]
if they ask for a date of birth give em a made up one.
A this point almost every big american company has been hacked apart from the banks and the cable tv companys .
There should be a mandated standard all customer data must be encrypted to a certain secure standard and this will
be checked by a trusted independent company every year .
Buy a phone with cash.
i have no passport and no drivers licence .
Why does, a mobile company need all that info .
I give em my name adress .That,s it.
i don,t have any phone contract.
i buy phone credit as i need it .
Have 10 companys who just specialize in data security
go around and check all database,s of companys in america
who have more than 50 thousand customers .
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Am I mistaken or has there been very little harm to end-users?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
I will note, however, that many if not most fraudulent purchases are eaten by the retailer via the chargeback mechanism and not the banks. Even with chip cards, this will probably still continue to be the case as fraud will shift to card not present fraud and Verified by Visa and MasterCard SecureCode adoption continues to be weak in the US.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Am I mistaken or has there been very little harm to end-users?
Good one.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I call for the death penalty
I believe that this will provide them with the motivation they're currently lacking -- motivation to make data security their top priority instead of profits.
(If a second breach occurs at the same company? Two C-level executives.)
[ link to this | view in chronology ]
C level
[ link to this | view in chronology ]
Re: C level
Because until they do, this won't stop. Why should it? They can pocket their $32.7M salary and their $8M bonus and laugh all the way to the bank at the millions of poor schmucks who are going to get ripped off thanks to the latest data breach.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Experian hacked?
Experian also provides this service for more people than T-Mobile, right?
So what are the odds that this is the first of many?
Experian does have a credit monitoring product, so I guess that's convenient.
[ link to this | view in chronology ]
My butt is covered with breaches...
[ link to this | view in chronology ]
So, now that it's affected YOU, maybe you will worry about corporate responsibility....
But not much will change unless executives are tossed into jail without bail.
[ link to this | view in chronology ]
And Experian literally has everyone's credit info.
Thankfully as we have been told its only limited to T-mobile and yes maybe T-mobile bears some responability for trusting Experian but come on.
As a T-mobile customer i'm not blaming them for hiring them. Hell the only thing Experian does is gather personal data... Oh and provide monitoring if the data being collected is being misused.... And they completely failed not only in preventing it from being stolen but also once stolen not being scrabled proteced in a aay rsndering the data unusable.... Something a teenage boy does for his porn collection better
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
AS a certain well known sleaze bag likes to say "never waste a crisis for personal gain"
[ link to this | view in chronology ]
Experian breach
agency back door? That seems likely to me.
[ link to this | view in chronology ]
T Mobile(s') AUDACITY!
OMG LET US ALL DECIDE TO PUT T MOBILE TO SHAME! SHAME, SHAME, SHAME!! let's all find a worthy opponent...
I received my formal apology letter, yesterday, October 26, 2015. I was told, when I gave my "information around the 19th of september (2015)- that was when it was likely to have leaked..."like a facet! Especially strange since I didn't give them any information about myself, not on nor around that date. My information, which I conveyed to Walmart, was shared almost 3 years ago.
Purposefully the day I got a call from T Mobile, I felt I had, in my ear, a selfish ass.
I had been a customer, not even a month, with unlimited, text, calls and web. The phone, super pricey, I wouldn't have it if my son. -And, the payments seemed great.So my son bought the phone and I payed the first ,month. This was not
working out for me already, when, the month isn't over and you want what?
I called back that day after i did some processing.
I gave my account name and number. I exclaimed about and so what- to the raw smooth talker tellin' me why I owe...dis doesn't convince the customer, who is always right. I'm going to take a loss on the phone. "What?" Twas said.
I am going to sell this beautiful phone and kiss my customer ass goodbye. Blablablabla was all I heard and then I said Y'all n'r gonna get anything more, bye bye now.... T mobile has the AUDACITY to send me that bill, that bogus bill, still? Let us all say, T Mobile Sucks! Let us put them all the way down outta business......T Mobile takes from the giving and then discloses, in a widdle incident, MY IDENTITY. OK WHO'S WITH ME?
We apologize we didn't get it the first go 'round
[ link to this | view in chronology ]