Experian Breached, 15 Million T-Mobile Customer's Data Exposed

New submitter Yuuki! writes: The Washington Post reports that T-Mobile's Credit Partner, Experian, has been breached revealing names, addresses, Social Security numbers, birth dates and driver's license and passport numbers for any customer who has applied for device financing or even services from T-Mobile which required a credit check. Both parties were quick to point out that no no credit card or banking data was stolen as part of the attack. The attack started back in September 2013 and was only just discovered on September 16, 2015. Both Experian and T-Mobile have posted statements on their websites and Experian is offering credit for two free years of identity resolution services and credit monitoring in the wake of the breach.

Two Free Years!

Two free years of credit monitoring after the bad guys had two free years of access! Great work, Experian!

Re:Two Free Years!

[CaptainLard]

I currently have 3 separate free credit monitoring services from prior breaches in other companies. I'm confident that I'll have perpetual free credit monitoring since the credit monitoring lobby is now rich enough to force congress to maintain the status quo.

Phew, I was worried there for a second.

[EmagGeek]

Thank God my Credit Card numbers weren't breached, because those are impossible to cancel and replace. I'm so thankful it was only my Passport number, Driver's License number, social security number, full legal name, birth date, and address that were stolen, because those are a snap to cancel and replace.

Re:Phew, I was worried there for a second.

I take it you are a foreigner who doesn't understand sarcasm.

inadequate

[harvey+the+nerd]

They need to make more reparations than that, as actual remedy, compensation and punitive damages with a positive, non govt funding goal.

In corporatese, "I'm sorry" are empty words with no meaning without restitution and money.

Re:inadequate

[gstoddart]

And as long as they have no legal liability for keeping this stuff safe, an insincere "I'm sorry" is all you will ever get. If corporations can hold your private data and have no consequences for having shit security, they will continue to do so.

For a credit agency to store that much personally identifying information and be hacked tells me that agencies like this need to have some pretty severe penalties for shit like this ... because they have pretty much everything required to steal your identify.

If we're going to entrust this data to these entities, we should sure as hell make certain we can actually trust them with it. And I would say that Experian has more or less demonstrated themselves to be incompetent to hold this information.

It really is time to stop letting companies treat this as "their" data, and realize they have an obligation to safeguard our data, and to be legally responsible when they fail to do so.

Fuck You, Experian

[drinkypoo]

Guess what they're not giving you? Your actual credit report. You just get the abbreviated version, so you can't actually look it over and see if this generally corrupt industry is fucking you. They will, however, sell you your credit report at a special members-only price. So what's happened here basically is that Experian is getting free advertising and T-Mobile is going to get off without punishment.

Fuck you Experian, and fuck you T-Mobile.

I already said fuck T-Mobile since they cancelled the PAYG plans I've been using, but fuck them twice now.

Are there ANY US mobile providers from whom I can buy a PAYG SIM which are not total fucks?

Re:Fuck You, Experian

[swb]

None of this should be surprising. The credit reporting services are in business to please their customers, the credit issuers. People who apply for credit are part of the product.

I would even go so far as to argue that the credit reporting agencies have an incentive to make your credit report as bad as possible, since the worse the report, the higher the interest rate you get charged for borrowing money. And the good news for creditors is that it doesn't force them to be more competitive, since they're all competing against the same view of your creditworthiness. Erring on the side of reduced creditworthiness lets creditors charge a higher interest rate for a risk that isn't elevated.

My conspiracy minded side says this is why erroneous credit data is hard to remove and why credit reporters want to use non-financial correlates (like driving records) as part of your credit score -- something you can't ever get removed yet makes your credit report look marginally worse, thus making you a more profitable creditor via higher interest rates.

Requirement to be forgotten

One of the best things that can be done to prevent data breaches is require that data be deleted after a certain time. I don't see a good reason why 15 million customers should have their data retained after the credit check is complete. It won't stop breaches, but it would limit their scope. There also needs to be severe penalties for negligent security or failing to notify customers in a timely manner. Better yet, eliminate social security numbers for identification altogether outside of social security and (maybe) tax purposes. And it's no surprise that a credit bureau was attacked. They're gold mines of information waiting to be compromised. I'd like to see particularly strong regulation of these companies. Consumers don't really get to opt in, but this personal information is stored and can be compromised easily. That doesn't seem fair at all to me.

Experian Credit Breach

Experian is offer a two year free credit monitoring in connection with the breach of their system. In order to sign up for the two year credit monitoring they require you to provide your full identity; SS number, birth date, etc. Isn't that just the information that was just compromised in their system??? How do they think they can be trusted??? This does not resolve the problem of their lack of network security with sensitive information.

Make PII Go Away

[Archwyrm]

It is high time the abuse of the Social Security Number ended. SSNs should be used for one thing: Social Security. Using a single "secret number" is an archaic system that for increasing numbers of people is no longer secret. Let's not forget all your other details which are used to identify you but aren't really that secret (your full name, your birthday, etc).

This information is used for identifying a person or proving identity so it's an authentication problem. We can do better! We have public key encryption. The government issues you a key pair (say, embedded into a photo ID, which we all have already) and now you can prove your identity without giving someone an irrevocable secret.

Authentication is also two factor: You have an ID and you know a PIN (or passphrase). If you lose your card, then your identity is not immediately compromised because it is protected by your PIN. This gives you time to have the gov't revoke your old key pair and issue you a new one.

In the case of the credit bureaus (I think we can all safely assume credit isn't going away any time soon), they associate your credit history with your public key and nothing else. If the key is revoked (by the gov't), then they move your file to the new key. No one can take out credit using the old key. In fact, any attempt could be reported to law enforcement.

The entire US Department of Defense has been using a system like this for years now and has by and large done away with things like passwords and hand signatures, especially for the things that matter most.

Is this completely foolproof to prevent someone impersonating you? No, but it is much better than having your SSN and other PII out on some forum where just anyone can use it for nefarious purposes and would be well worth its cost and complexity. The greatest obstacle is the credit bureaus having nothing to gain in actually protecting their "customers'" data because then to whom will they sell credit monitoring?

Re:Identity Theft

[mrchaotica]

My recommendation if you are one of the 15 million people is to freeze your credit.

You know the best part? The best part is that in order to do that, you get to PAY A FEE TO THE SAME GODDAMN FUCKERS WHO LOST THE INFORMATION IN THE FIRST PLACE!

1. Step 1: Collect everyone's personal information
2. Step 2: Lose said information, forcing the victims to freeze their credit
3. Step 3: Charge the victims $5-10 each to do that freeze, and another $5-10 each time each victim needs to thaw or re-freeze it, forever
4. Step 4: profit, over and over again!

(There is no "..." step; this is actually Experian's business plan!)

Still too much uncertainty of the size of exposure

[idontgno]

"15 million". Huge number. It usually takes the power of the US Federal Government to screw up this big.

But one thing is not clear from TFA, let alone from the slightly misleading TFS.

This is an Experian hack, not a T-Mobile hack. What makes any "expert" think the exposure is limited to someone who interacted with T-Mobile? Experian is one of the awful ubiquitous unavoidable facts of life, much like the Government (see above). If you have participated in any non-cash financial transaction, they probably have a file on you.

What are the particulars of this breach that make it strictly an "Experian interacting with T-Mobile" risk? Experian is huge, and if you're counting on some kind of strict internal data partitioning within the company to restrict the attack area to "T-Mobile applicants" you're too naive to sit with the grown-ups.

Seriously. Why the fuck isn't this a maximal-sized no-holds-barred every-file-Experian-holds breach?

Re:Experian

[jhecht]

How do we know it WAS limited to people who applied for T-Mobile service? It took Experian two years to find the breach in the first place.