Slashdot Mirror
Experian Breached, 15 Million T-Mobile Customer's Data Exposed
New submitter Yuuki! writes: The Washington Post reports that T-Mobile's Credit Partner, Experian, has been breached revealing names, addresses, Social Security numbers, birth dates and driver's license and passport numbers for any customer who has applied for device financing or even services from T-Mobile which required a credit check. Both parties were quick to point out that no no credit card or banking data was stolen as part of the attack. The attack started back in September 2013 and was only just discovered on September 16, 2015. Both Experian and T-Mobile have posted statements on their websites and Experian is offering credit for two free years of identity resolution services and credit monitoring in the wake of the breach.
Two free years of credit monitoring after the bad guys had two free years of access! Great work, Experian!
What a shame, but nothing will really change once this is all hashed out.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Thank God my Credit Card numbers weren't breached, because those are impossible to cancel and replace. I'm so thankful it was only my Passport number, Driver's License number, social security number, full legal name, birth date, and address that were stolen, because those are a snap to cancel and replace.
They need to make more reparations than that, as actual remedy, compensation and punitive damages with a positive, non govt funding goal.
In corporatese, "I'm sorry" are empty words with no meaning without restitution and money.
As an identity theft victim, let me say that "no credit card or banking data was stolen" means nothing. With name, address, SSN, and birth date compromised (as well as driver's license and passport numbers), anyone can now open new lines of credit in the names of any of the 15 million people whose information was accessed. And the two years of "credit monitoring" will do almost nothing. Fraud alerts won't either - those are voluntary.
My recommendation if you are one of the 15 million people is to freeze your credit. This will stop ANYONE from opening a new line of credit under your name unless you first thaw your credit file. It's a royal pain in the rear when you need to do things like refinance a loan, but it's better than having a collections agency banging down your door because you owe $5,000 on a credit card that "you" opened.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
The apostrophe should go after the 's'.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
One of the three major credit rating services? I'm a little bit impressed that this breach was limited to only everyone who has ever applied for T-Mobile service.
Guess what they're not giving you? Your actual credit report. You just get the abbreviated version, so you can't actually look it over and see if this generally corrupt industry is fucking you. They will, however, sell you your credit report at a special members-only price. So what's happened here basically is that Experian is getting free advertising and T-Mobile is going to get off without punishment.
Fuck you Experian, and fuck you T-Mobile.
I already said fuck T-Mobile since they cancelled the PAYG plans I've been using, but fuck them twice now.
Are there ANY US mobile providers from whom I can buy a PAYG SIM which are not total fucks?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I sense a disturbance in the Magenta Force, as though millions of teenage girls cried out at once and then, nothing.
Pretending this is my office full of bitter coworkers..
The almighty google:
"Taboola | Drive Traffic and Monetize Your Site"
"Ooyala | Deliver Content that Connects
www.ooyala.com/
Ooyala goes beyond traditional online video platforms, offering best-of-breed online video analytics and monetization solutions that boost revenues from video."
So as per usual it's someone trying to make money from your traffic.
One of the best things that can be done to prevent data breaches is require that data be deleted after a certain time. I don't see a good reason why 15 million customers should have their data retained after the credit check is complete. It won't stop breaches, but it would limit their scope. There also needs to be severe penalties for negligent security or failing to notify customers in a timely manner. Better yet, eliminate social security numbers for identification altogether outside of social security and (maybe) tax purposes. And it's no surprise that a credit bureau was attacked. They're gold mines of information waiting to be compromised. I'd like to see particularly strong regulation of these companies. Consumers don't really get to opt in, but this personal information is stored and can be compromised easily. That doesn't seem fair at all to me.
seems every year the thing to do is open a T-Mo account, "buy" an iphone and resell it before it's bricked for not paying the bill
is to maintain a truly horrific credit score.
Go to all 3 reporting agencies and lock them down. It only takes a little time per agency and will save you years of headaches later. If you need to apply for credit unlocking is just as easy. You can choose a time frame or a specific company to allow through.
Experian is offer a two year free credit monitoring in connection with the breach of their system. In order to sign up for the two year credit monitoring they require you to provide your full identity; SS number, birth date, etc. Isn't that just the information that was just compromised in their system??? How do they think they can be trusted??? This does not resolve the problem of their lack of network security with sensitive information.
Get Ghostery...
Don't forget Janrain, Nativo and scorecard. Thank you Ghostery.
It is high time the abuse of the Social Security Number ended. SSNs should be used for one thing: Social Security. Using a single "secret number" is an archaic system that for increasing numbers of people is no longer secret. Let's not forget all your other details which are used to identify you but aren't really that secret (your full name, your birthday, etc).
This information is used for identifying a person or proving identity so it's an authentication problem. We can do better! We have public key encryption. The government issues you a key pair (say, embedded into a photo ID, which we all have already) and now you can prove your identity without giving someone an irrevocable secret.
Authentication is also two factor: You have an ID and you know a PIN (or passphrase). If you lose your card, then your identity is not immediately compromised because it is protected by your PIN. This gives you time to have the gov't revoke your old key pair and issue you a new one.
In the case of the credit bureaus (I think we can all safely assume credit isn't going away any time soon), they associate your credit history with your public key and nothing else. If the key is revoked (by the gov't), then they move your file to the new key. No one can take out credit using the old key. In fact, any attempt could be reported to law enforcement.
The entire US Department of Defense has been using a system like this for years now and has by and large done away with things like passwords and hand signatures, especially for the things that matter most.
Is this completely foolproof to prevent someone impersonating you? No, but it is much better than having your SSN and other PII out on some forum where just anyone can use it for nefarious purposes and would be well worth its cost and complexity. The greatest obstacle is the credit bureaus having nothing to gain in actually protecting their "customers'" data because then to whom will they sell credit monitoring?
Fascism should more properly be called corporatism because it is the merger of state and corporate power. -- Mussolini
Give us one other value add.... The ability to meaningfully challenge our record and purge items which aren't ours. And give it to everyone. And make it stick across all credit services. That would go a lot further than your free identity protection and whatever other bullshit you think will mollify us.
All told, I have 17,300 years of credit monitoring due to various corporate negligence.
There's no way they're going to steal my identity again!
"15 million". Huge number. It usually takes the power of the US Federal Government to screw up this big.
But one thing is not clear from TFA, let alone from the slightly misleading TFS.
This is an Experian hack, not a T-Mobile hack. What makes any "expert" think the exposure is limited to someone who interacted with T-Mobile? Experian is one of the awful ubiquitous unavoidable facts of life, much like the Government (see above). If you have participated in any non-cash financial transaction, they probably have a file on you.
What are the particulars of this breach that make it strictly an "Experian interacting with T-Mobile" risk? Experian is huge, and if you're counting on some kind of strict internal data partitioning within the company to restrict the attack area to "T-Mobile applicants" you're too naive to sit with the grown-ups.
Seriously. Why the fuck isn't this a maximal-sized no-holds-barred every-file-Experian-holds breach?
Welcome to the Panopticon. Used to be a prison, now it's your home.
Good news everyone! The bad guys only got things like your SSN, which can never be changed and which will haunt you forever, but not the credit card numbers which can easily be replaced and you probably wouldn't be liable for any illicit charges on, anyway.
Gamingmuseum.com: Give your 3D accelerator a rest.
that's all
These breaches are a good thing, because they are forcing evolution.
Something we in IT have always known, is that security cannot be solely applied through obscurity. There will always be opportunity, tools and motivation that expose it.
This has never translated into other information sensitive disciplines, and right at this moment we have a tremendous amount of fragility in our financial and personal identification infrastructures because there is no concept of authentication.
That has to change. More of these breaches, which are not in and of themselves exceptions but rather the rule, will raise awareness to the reality of the situation - that attempting to protect oneself by hoping that ever more widely distributed sensitive information isn't disclosed, is not feasible.
"No good deed goes unpunished"
There should be a logical fallacy formalized for this style of argument: "We really fucked up... but at least the world didn't explode!"
"T-Mobile's Credit Partner, Experian, has been breached revealing names, addresses, Social Security numbers, birth dates and driver's license and passport numbers"
What I want to know is - in this day and age - what this data was doing on a server, connected to the Internet in an unencrypted form.
"numbering services not available for that area"
whatever the shit that means
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I went to the Tmobile site and what happened?
I got a popup saying "T-Mobile wants to know your location"
How fucking ironic.
-Styopa
Took two years to discover the breach! Great security checks there Experian. They didn't get the credit card and bank account info, just everything they need to steal a person's identity, and open their own credit accounts. If I were CEO of Experian, the IT department, especially the security division would be finding their heads on the proverbial chopping block.
It seems to me if it's been going on for 2 years, Experian hasn't been doing the job to secure our data. They should be facing some criminal charges or fines over this. Better yet; they should shut down. This is very gross incompetence. What's the two years going to do? "Oh, someone is using your data. LOL. Sorry." That's pretty much all they're going to do. They're not going to help solve a problem they are responsible for. They need to be held responsible; by someone. 2 days I could understand; 2 years is just plain incompetence.
Between Anthem, OPM, and Experian, we're nudging up on "almost everyone's SSN has been leaked" territory.
Now I don't have to worry about my lost tablet or my Ashley-Madison account.
The Washington Post reports that T-Mobile's Credit Partner, Experian, has been breached revealing names, addresses, Social Security numbers, birth dates, driver's license and passport numbers
Both parties were quick to point out that no no credit card or banking data was stolen as part of the attack
Great, so the banking and credit card data--which would only lead to fraud for which the individual would not be held accountable--wasn't stolen. But all the most valuable data for applying for fake credit and identity theft was! Much harder to fight off fake accounts then fake charges on a valid account.
This should go beyond just two years of free monitoring... what do I do when someone is out there impersonating me? Hope I have an alibi when they come looking for mr, but that's sort of tough to do when you're a basement dwelling hermit...
Experian partitioned clients apart from one another. The breach hit their T-Mobile systems, which is why they are mentioning it only affects T-Mobile customers. But, you are right not to trust Experian, if it happened to one of their systems it could be happening as we speak to any other of their clients. It could also be happening to any of the other credit partners or banks as well and we'll find out in the coming years. My father used to work for a large bank, he would always tell me stories of breaches that occurred like people faking checks who were from Nigeria, etc. And, I asked why the banks weren't more proactive with their security procedures. He said it was because they do a cost analysis on and determine that there is an acceptable amount of risk, because securing your accounts is costly compared to the losses. I think that as these breaches increase in frequency in the digital age, that cost benefit analysis graph is going to turn upside down and not look as rosy anymore.
I read the Experian notification of the breach.
The _hack_ occurred over a "limited period of time". The _data_ that was exposed was from a two year time period.
So, no one has been hacking Experian for two years continuously.
Odds are really good that I'm affected, and believe me I know this doesn't make any difference :)
I just received a letter from the IRS saying my personal information was inadvertently released (employee took a laptop home which they subsequently lost? I can't remember the specifics of this data breach and the letter didn't say), and they were going to pay for a year of Experian credit monitoring if I wished. Only it was up to me to contact Experian and give them some case number that was included in the letter to get the "free" year (note: not actually free, but using my own tax money to pay for it). So their solution to their lax security in storing my data, is for me to also give that data to another entity, not even a government entity, who apparently has equally lax security!
WTF would they have passport numbers for a T-Mobile phone?!?
It seems strange they'd even have a slot to store US passport numbers, considering that the vast majority of US citizens don't have or need a passport, eh?
That just struck me as odd that they'd have this stored associated with a mobile phone credit application.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Thank God that only things like Social Security numbers were stolen - easily replaceable things like credit card numbers are still safe. Whew!
Shit. I guess this might have something to do with a number of places telling me my SS# is either invalid or "has multiple names attached" (Why are multiple names attached to a single number even allowed? I would think it should return an error since there is no legitimate use for multiple names tied to a single number).
Get NoScript, if you don't already have it.
How about 2 years of high credit scores.
>revealing names, addresses, Social Security numbers, birth dates and driver's license and passport numbers for any customer
but no credit card numbers or banking data (other than your names, addresses, Social Security numbers, birth dates and driver's license and passport numbers)
>Experian is offering credit for two free years of identity resolution services and credit monitoring
Were you really planning on living longer than that?!
Most linux users don't know this, but the man pages were named after Chuck Norris. Chuck Norris fsck'ing hates noobs!
When did Lars Ulrich start working at T-Mobile?
We play the game with the bravery of being out of range
Plus the unholy G-fecta of Google DoubleClick, Google AdWords, and Google Analytics. Slashdot has really started piling on the ads and trackers lately. Ghostery doesn't block the player.ooyala.com junk yet, so I've done that at my edge name server (which handles wildcards and is far better than a h-sts file, lest our resident spamming kook get any ideas).
working in financial industry, many B2B transactions use dedicated accounts... so T-M uses a different account than XYZ, when transferring data with Experian.
There is no obvious button to log into slashdot now so here I am anon. Maybe this has something to do with /. being up for sale? I wanted to comment on this story but not as anon. Don't believe me? Log out, then log back in if you can and tell me about it.
Ah, "dedicated accounts." That's just exactly like physical isolated network and storage architectures, right? So that if a cracker has, let's pretend*, a whole two years to poke around, they can't get through the impenetrable internal partitions between accounts.
*facepalm*
Air gap or GTFO.
*And by "pretend", I mean "since they actually had two years undetected"...
Welcome to the Panopticon. Used to be a prison, now it's your home.
I am posting anonymously because my company just cancelled a project with Experian. It started bad, and got worse and worse.
You may not know this, but Experian is trying to start a mailing list service, like Mailchimp. I work for a large broadcasting company, and we signed up to switch to their mailing lists. What scared the crap out of me is that we weren't just giving Experian an email address and subscribe/unsubscribe information for each mailing list. We were handing over pretty much all of the demographic data we had collected.
Think about this for a minute. Experian, the credit rating company, was being given information about your personal likes and dislikes. I could already imagine them saying, "This person likes rap music. Lower their credit rating." or, "This person only reads conservative news. Looks like a good ol' boy to me."
Fortunately, for now, Experian turned out to be totally incompetent. Their "API" was a joke, and the beautiful, fully featured front-end interface that the had "demonstrated" turned out to not exist at all. We dropped the project after converting one station, and now we are fighting to get out of the contract we signed.
It's now been 6 years since I've had to pay for credit reports because of all the breaches my data has been involved in.
Who is RTFM and when will he help me with Unix?
At least, they have a sense of humor about it. "But no credit card numbers were stolen"? Who would need that after they have your SSN, full name, address, birthday, driver's license and PASSPORT NUMBER? That's enough to have any credit card you want. Wait, they don't have a sense of humor, do they? They are not kidding, are they? They really do think this cloud has a silver lining? Oh, what the hell. If the Secretary of State can send emails through an unsecured server, and the IRS has a 6-month's data retention policy and can get away with claiming 6 simultaneous employees' harddrives crashed right after receiving subpoenas, maybe Experian does get to get away with "but no credit card numbers were stolen" bull shit.
Any guest worker system is indistinguishable from indentured servitude.
There is no national system to prevent credit from being authorized in your name, even to aliens from other worlds.
Nor should there be, because it should not be your fault that someone has lax rules for giving out money to people. The fault lies squarely with the institution extending the credit, no one else.
The industry has framed this issue in the wrong way. It is not identity theft. It is BANK FRAUD, pure and simple. It should not be people who need to protect their "identity" or fight to prove they were not parties to a contract that they were not even aware of being made in their name. It should be banks and financial institution who should bear the burden and loss.
Why is identity theft not such a big deal in Europe or other countries ?
Data Talent is almost non existent in the US. Google, YouTube, Yahoo, Facebook, ADP, Twitter, Rakuten, Eucalyptus, Tesla, Auction.com, Pythian, Accenture and most major companies all have been desperately searching for data architects. Eg: Yahoo remained in negotiations for three years for rearchitecting their Yahoo Mail and Messenger. The recruiters these companies have and the top bosses all get overwhelmed when they do find a qualified candidate, scared they may lose their job if they hire the qualified person. If 700 companies approach the same data guy what does that tell you? in Maryland, thousands of data and network security jobs remain unfulfilled for years now. Data is misunderstood. I know this because I am the only one to claim having scaled a failing company to top 10 world ranking and having recovered from a $100M disaster when the storage company responsible (3par) and database software creator (Mysql) both gave up. See the number of data breaches in CA (the seemingly place of innovation in data and tech) and you will be surprised. Read the Verizon's annual data breach report and that will show you that data and network admins are just filling 9-5 time and not taking their jobs seriously. There is no company that provides data and security audit to protect against breaches like this. The CE*s have fallen too far behind to be aware of handling and running companies that handle personal data in large amounts.
Take this case and ask (yourself or experian):
What were the network/data/system admins doing for these two years?
What about monitoring services? How can experian provide monitoring service for your credit protection if it can't monitor its own systems. Experian is not in credit business , it's in data business. There ought to be severe penalties for providing what seems like fraudulent data protection service. Laws governing companies like this and data auditing requirements (but there are no companies qualified to do that). The consequences of this breach are grossly misunderstood. These 15,000,000 people will be dealing with consequences for a long time since you can't just change your social security number or passport or birth date. The breached data is going to be sold, resold and used for an indefinite period of time. Expect similar breach reports from all major companies in the coming months and years. Personal data is an oil like accountable asset according to World Economic Forum. Sadly Experian is just going to walk away with no major changes in its tech or data leadership. At most they will hire someone from academia with no real world experience. Remember a different experience set is required for building a car, racing that car, repairing that car and architecting the race course where race will happen. Google at one point offered me three choices: join their YouTube, Adwords, or search division stating that they are like a car that's going really fast and needs a change of all its tires as it prepares to go faster and while keeping passengers safe. They told me to not post these words but I am doing so anonymously without pointing the person out to communicate one point: data talent is almost non-existent and recruitment plus insecurity of the ones recruiting are preventing companies from getting the talent they so desperately need.
And if you're one of the bad guys, you know to wait two years now.