Last Thursday, John Legere, the C.E.O. of T-Mobile, joined the ranks of the dozens of chief executives who, in the past few years, have had to inform their customers that their personal information has been stolen. “One of our vendors, Experian, experienced a data breach,” Legere tweeted, referring to a Dublin-based credit bureau that his company uses to collect, store, and secure customers’ personal information. Experian explained the details on its Web site:
The unauthorized access was in an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services or products, which require a credit check, from Sept. 1, 2013 through Sept. 16, 2015. Records containing a name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T-Mobile’s own credit assessment were accessed. No payment card or banking information was obtained.
As one of the fifteen million people who applied for T-Mobile USA’s post-paid services during that period, I was particularly aghast to learn about this breach. T-Mobile USA has, in the past two and a half years, been selling itself as an “uncarrier,” dedicated to upending the telecom industry’s status quo by offering simpler, cheaper, and more intelligible plans. I’d bought into this spin, and believed that it was the way forward for the industry.
Although no financial information was stolen in the T-Mobile breach, the completeness of the data that was acquired is akin to a Lego set for an identity thief. The fraudsters can set up new lines of credit or file for phony tax refunds in our names, and there isn’t much we can do about it. The cybersecurity consultant Bryan Seely told the Seattle Times that, on a scale of one to ten, this breach rates a seven, because it included fifteen million Social Security numbers, along with names and addresses. “When Target had a breach, people were reissued cards. You can’t reissue Socials that easily,” he said. Over the weekend, the e-commerce security firm Trustev claimed that it had found data sets from the Experian hack for sale on the dark Web…
By now, we’re familiar with this pattern: a company discloses a data theft, executives express grave concern, and customers are left to reset their passwords and sign up for free data protection, feeling all the while like data piñatas…
An offer of a credit-watching service in the wake of a hack is sort of like getting an alert after a fire has burned down your house. Moreover, in a recent blog post, Brian Krebs, of Krebs on Security, wrote, “Identity protection services like those offered by CSID, Experian and others do little to block identity theft: The most you can hope for from these services is that they will notify you after crooks have opened a new line of credit in your name.
RTFA for more details and Om’s analysis including the political problems with trying to get business security into the 21st Century. As Om says, 800 data breaches in one year proves the status quo isn’t working.