T-Mobile Customer Data Leaked By Experian... And Faulty Encryption Implementation

from the well,-isn't-that-grand dept

Fri, Oct 2nd 2015 3:18am — Mike Masnick

This week's big data leak comes from mobile phone provider T-Mobile, who has admitted that someone hacked into credit giant Experian and got a bunch of T-Mobile customer data. The good news? The personal data was encrypted. The bad news? Experian fucked up the encryption and so it doesn't matter:

We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.

I happen to be a T-Mobile customer, and I look forward to the usual bullshit response of a year's worth of credit monitoring and promises that this will never happen again. You know, until it does.

As I've said before, I do worry about holding companies totally responsible for when they get hacked, because a determined adversary will hack into any company they want to eventually. That's just the nature of the game. But when the company appears to be totally incompetent to the point of being negligent, it seems reasonable to hold them responsible. I'm sure in the coming days we'll find out more details about how the "encryption was compromised" (and we'll also probably learn that it impacts many more people than originally claimed). But these new data breaches every week or so are starting to get ridiculous.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: customers, data breach, encryption, hack, security
Companies: experian, t-mobile

31 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Violynne (profile), 2 Oct 2015 @ 3:29am

I have no worries about this, despite being a T-Mobile customer.

Target has me covered.

I'm used to it. With all the credit monitoring I'm getting, I believe I'm now set for life plus 70 years.
[ link to this | view in chronology ]
- ltlw0lf (profile), 2 Oct 2015 @ 10:27am
  
  Re:
  I'm used to it. With all the credit monitoring I'm getting, I believe I'm now set for life plus 70 years.
  
  I know this is tongue firmly in cheek, but if you are relying on credit monitoring services to keep you secure, you've already lost.
  
  Better is to remove credit from the equation. Get rid of the big four credit reputation companies and the problem disappears immediately (well, except for the IRS, which still allows scammers to submit fraudulent tax returns based solely on publically available information, and it is pretty safe to assume that your SSN and other vital information is publically available by now.) Makes buying things on credit harder, but how many times do people actually do that in their lives.
  
  Credit freeze is really the best way of doing this, and so long as it is implemented correctly (which, considering Experian is one of the four, and they have seriously fucked up here, that is a shaky assumption,) it makes things far more difficult for the scammers/criminals to use your information to steal stuff.
  [ link to this | view in chronology ]
  - Anonymous Coward, 4 Oct 2015 @ 3:48am
    
    Re: Re:
    Credit scores are accessed for more things than just applying for credit. Your credit score might be checked when applying for jobs and renting apartments, and on signing up for various utilities including things like cell phones.
    
    I'm not saying that a credit freeze isn't a good idea, but it is something to be aware of for those considering that path.
    [ link to this | view in chronology ]
Ninja (profile), 2 Oct 2015 @ 3:50am

But these new data breaches every week or so are starting to get ridiculous.

Breaches that saw the light and got public you mean. right? What about breaches that were not disclosed to the public? Or worse, breaches that weren't even noticed?

I'm with you in the punishment part. Companies should be punished. Severely if there is evidence proving incompetence/negligence. And the Government shouldn't have more data on us than needed because it fits both criteria.
[ link to this | view in chronology ]
Grockman (profile), 2 Oct 2015 @ 4:21am

Well isn't that convenient. You can't take legal action against a any of the Credit bureaus.
[ link to this | view in chronology ]
smeee, 2 Oct 2015 @ 4:24am

Like other industry specifications
In hazardous area installations an eXd enclosure it is accepted that gas can enter the enclosure and produce an atmosphere that can explode when there is a source of ignition event. But the box is designed and tested to ensure that the explosion is contained and dissipated as it escapes and by the time it meets the ouside atmosphere it's temperature and.pressure is below what would be required to ignite and explosive atmosphere outside.

maybe that is a crap analogy :)
[ link to this | view in chronology ]
- Anonymous Coward, 2 Oct 2015 @ 5:50am
  
  Re: Like other industry specifications
  I get the analogy, however, any box will not provide adequate protection if you drill several large holes in it. Now if it is treated as a secure vault that would be another story. We'll have to see how Danny Ocean would pull it off to determine the correct security measures.
  [ link to this | view in chronology ]
Anonymous Coward, 2 Oct 2015 @ 4:25am

What Me Worry
What Me Worry… because the Veterans Administration; Heartland Payment Systems; Target; Home Depot; Office of Personnel Management; IRS; Hilton Hotels and T-Mobile [and perhaps the young lady working for a concessionaire at the Isle Royale National Park who skimmed my AMEX card and the yet unknown person working at the Whittier, CA contractor generating new 'secure ID' drivers licenses for the state, who skimmed my SSN and birth date to establish new charge accounts at Target and Kohl's] have now taken the special 'ex post facto' pledge to keep my data safe and protected.
[ link to this | view in chronology ]
Bamboo Harvester (profile), 2 Oct 2015 @ 4:49am

Is there actually....
...a standard for "encryption" these kinds of things / companies have to meet?

I've got this nagging suspicion that ROT13 is stronger than whatever most of them use...
[ link to this | view in chronology ]
- Mike Masnick (profile), 2 Oct 2015 @ 6:42am
  
  Re: Is there actually....
  I've got this nagging suspicion that ROT13 is stronger than whatever most of them use...
  
  As someone joked online yesterday, Experian probably ran everything through ROT13 *twice* for "enhanced security." :)
  [ link to this | view in chronology ]
Anonymous Coward, 2 Oct 2015 @ 4:50am

I will not give a mobile company my date of birth or ssn no.
if they ask for a date of birth give em a made up one.
A this point almost every big american company has been hacked apart from the banks and the cable tv companys .
There should be a mandated standard all customer data must be encrypted to a certain secure standard and this will
be checked by a trusted independent company every year .
Buy a phone with cash.
i have no passport and no drivers licence .
Why does, a mobile company need all that info .
I give em my name adress .That,s it.
i don,t have any phone contract.
i buy phone credit as i need it .
Have 10 companys who just specialize in data security
go around and check all database,s of companys in america
who have more than 50 thousand customers .
[ link to this | view in chronology ]
Anonymous Coward, 2 Oct 2015 @ 5:07am

Just another reason to use post-paid. As these breaches grow increasingly common, I think it would be good to reevaluate what we consider need-to-know information.
[ link to this | view in chronology ]
- Anonymous Coward, 2 Oct 2015 @ 5:07am
  
  Re:
  *pre-paid
  [ link to this | view in chronology ]
Anonymous Coward, 2 Oct 2015 @ 5:12am

Given the scale of the hacks, you would expect mass fraud and identity theft. The banks and credit card companies seem to bear the brunt of the cost, upgrading infrastructure, issuing new cards, eating the cost of fraudulent purchases.

Am I mistaken or has there been very little harm to end-users?
[ link to this | view in chronology ]
- Anonymous Coward, 2 Oct 2015 @ 5:28am
  
  Re:
  Very few people have been on the hook for the fraud but these companies that spend billions covering their mistakes aren't shelling the money out of their pocket. It's passed on to the consumer in higher prices so in effect everyone is paying.
  [ link to this | view in chronology ]
- Justin Johnson (JJJJust) (profile), 2 Oct 2015 @ 5:31am
  
  Re:
  As far as fraudulent purchases go in the US, Federal law gives individual consumers pretty decent protection.
  
  I will note, however, that many if not most fraudulent purchases are eaten by the retailer via the chargeback mechanism and not the banks. Even with chip cards, this will probably still continue to be the case as fraud will shift to card not present fraud and Verified by Visa and MasterCard SecureCode adoption continues to be weak in the US.
  [ link to this | view in chronology ]
  - David, 2 Oct 2015 @ 7:57am
    
    Re: Re:
    So everyone ends up paying extra for things in order to make up for it. Business and banks aren't just going to take it in the shorts - prices increase to accommodate the losses.
    [ link to this | view in chronology ]
- Anonymous Coward, 2 Oct 2015 @ 7:02am
  
  Re: Am I mistaken or has there been very little harm to end-users?
  Who do you think is paying for all this stuff? The banks and credit card companies?
  
  Good one.
  [ link to this | view in chronology ]
- David, 2 Oct 2015 @ 7:55am
  
  Re:
  Given the number of people who are now "monitored" given the large number of breaches, I suspect that other fraud things are being one. Possibly ones like the "IRS" scam (scammer calling you, having personal information, demanding payment of "penalties" else they are coming to arrest you) where it's more direct and not caught by credit monitoring.
  [ link to this | view in chronology ]
Anonymous Coward, 2 Oct 2015 @ 6:07am

I call for the death penalty
Every time a data breach like this happens, a C-level executive at the company responsible should be selected at random and publicly executed.

I believe that this will provide them with the motivation they're currently lacking -- motivation to make data security their top priority instead of profits.

(If a second breach occurs at the same company? Two C-level executives.)
[ link to this | view in chronology ]
jim, 2 Oct 2015 @ 6:26am

C level
But why take it out on a c-level employee, it should be one in charge. A c-level takes orders and processes the item. Some one in the a level initiated an order. C level does or gets canned at the next meeting. So why pick someone at the c level. Secretaries and workers are the real lifeblood of a company. Bosses make or break the company with no regard or punishment for what they do. That's the shame of heirachy.
[ link to this | view in chronology ]
- Anonymous Coward, 2 Oct 2015 @ 9:42am
  
  Re: C level
  Apparently you don't grasp that C-level means "CIO", "CFO", "CSO", etc. Those are the people running the company and invariably those are the people making massive amounts of money, primarily by screwing the workers below them and ripping off customers, lying through their teeth in press releases and press conferences. They're responsible. They should suffer the (brutal) consequences.
  
  Because until they do, this won't stop. Why should it? They can pocket their $32.7M salary and their $8M bonus and laugh all the way to the bank at the millions of poor schmucks who are going to get ripped off thanks to the latest data breach.
  [ link to this | view in chronology ]
Anonymous Coward, 2 Oct 2015 @ 7:29am

Take a single dollar or even a penny from every person who has has their data stolen/leaked and criminal organizations end up with lots and lots of money.
[ link to this | view in chronology ]
David, 2 Oct 2015 @ 7:51am

Experian hacked?
You mean one of the three companies that have credit/personal information on just about everyone in the country?

Experian also provides this service for more people than T-Mobile, right?

So what are the odds that this is the first of many?

Experian does have a credit monitoring product, so I guess that's convenient.
[ link to this | view in chronology ]
Anonymous Coward, 2 Oct 2015 @ 8:17am

My butt is covered with breaches...
What, me worry?
[ link to this | view in chronology ]
Anonymous Coward, 2 Oct 2015 @ 9:13am

So, now that it's affected YOU, maybe you will worry about corporate responsibility....
Though you're already hedging.

But not much will change unless executives are tossed into jail without bail.
[ link to this | view in chronology ]
Anonymous Coward, 2 Oct 2015 @ 9:50am

I think the biggest part of the story is it wasnt T-mobile that got hacked it was Experian...

And Experian literally has everyone's credit info.

Thankfully as we have been told its only limited to T-mobile and yes maybe T-mobile bears some responability for trusting Experian but come on.

As a T-mobile customer i'm not blaming them for hiring them. Hell the only thing Experian does is gather personal data... Oh and provide monitoring if the data being collected is being misused.... And they completely failed not only in preventing it from being stolen but also once stolen not being scrabled proteced in a aay rsndering the data unusable.... Something a teenage boy does for his porn collection better
[ link to this | view in chronology ]
- That Anonymous Coward (profile), 2 Oct 2015 @ 1:27pm
  
  Re:
  Oh come on its not like Experian sold like 200 million records to an identity theft ring... ohhh nevermind.
  [ link to this | view in chronology ]
Anonymous Coward, 2 Oct 2015 @ 10:42am

wait for the price increase to "compensate for increased security" while they pocket the increase.

AS a certain well known sleaze bag likes to say "never waste a crisis for personal gain"
[ link to this | view in chronology ]
Gene Cavanaugh (profile), 3 Oct 2015 @ 12:18pm

Experian breach
Are you sure the hacker didn't get in through a "security"
agency back door? That seems likely to me.
[ link to this | view in chronology ]
kerrie hemphill, 28 Oct 2015 @ 10:14am

T Mobile(s') AUDACITY!
How is T-Mobile getting away with these fraudulent charges to their customers AND KEEPING THEIR CUSTOMERS?? C'MON AMERICA WE USED TO RUN THESE RIP-OFFS OUTTA TOWN... Widdle tail wagged down. As if that wasn't enough now my personal information and to some hack in a phishing phase a free ticket to steal an identity, my identity!! Disclosures ... and of this MAGNITUDE?
OMG LET US ALL DECIDE TO PUT T MOBILE TO SHAME! SHAME, SHAME, SHAME!! let's all find a worthy opponent...
I received my formal apology letter, yesterday, October 26, 2015. I was told, when I gave my "information around the 19th of september (2015)- that was when it was likely to have leaked..."like a facet! Especially strange since I didn't give them any information about myself, not on nor around that date. My information, which I conveyed to Walmart, was shared almost 3 years ago.
Purposefully the day I got a call from T Mobile, I felt I had, in my ear, a selfish ass.
I had been a customer, not even a month, with unlimited, text, calls and web. The phone, super pricey, I wouldn't have it if my son. -And, the payments seemed great.So my son bought the phone and I payed the first ,month. This was not
working out for me already, when, the month isn't over and you want what?
I called back that day after i did some processing.
I gave my account name and number. I exclaimed about and so what- to the raw smooth talker tellin' me why I owe...dis doesn't convince the customer, who is always right. I'm going to take a loss on the phone. "What?" Twas said.
I am going to sell this beautiful phone and kiss my customer ass goodbye. Blablablabla was all I heard and then I said Y'all n'r gonna get anything more, bye bye now.... T mobile has the AUDACITY to send me that bill, that bogus bill, still? Let us all say, T Mobile Sucks! Let us put them all the way down outta business......T Mobile takes from the giving and then discloses, in a widdle incident, MY IDENTITY. OK WHO'S WITH ME?

We apologize we didn't get it the first go 'round
[ link to this | view in chronology ]