Experian Breached, 15 Million T-Mobile Customer's Data Exposed

New submitter Yuuki! writes: The Washington Post reports that T-Mobile's Credit Partner, Experian, has been breached revealing names, addresses, Social Security numbers, birth dates and driver's license and passport numbers for any customer who has applied for device financing or even services from T-Mobile which required a credit check. Both parties were quick to point out that no no credit card or banking data was stolen as part of the attack. The attack started back in September 2013 and was only just discovered on September 16, 2015. Both Experian and T-Mobile have posted statements on their websites and Experian is offering credit for two free years of identity resolution services and credit monitoring in the wake of the breach.

Two Free Years!

Two free years of credit monitoring after the bad guys had two free years of access! Great work, Experian!

Re:Two Free Years!

[Bob+the+Super+Hamste]

I just want to know if the credit monitoring is going to be through Experian? Also do I get to decide when the credit monitoring starts as I already have a couple of other services monitoring my credit and I don't think I need another concurrent one. It would be nice if these things stacked instead of ran concurrent.

Re:Two Free Years!

[CaptainLard]

I currently have 3 separate free credit monitoring services from prior breaches in other companies. I'm confident that I'll have perpetual free credit monitoring since the credit monitoring lobby is now rich enough to force congress to maintain the status quo.

Re:Two Free Years!

[easyTree]

Two free years of credit monitoring after the bad guys had two free years of access! Great work, Experian!

I read their offer as "This is not the incompetence you're looking for; we're still relevant; no-one's worth may be judged without our say-so! dammit!!"

Re:Two Free Years!

[squiggleslash]

I'm sure if we protest enough, they'll also give us a coupon for 20% off at Bed, Bath, and Beyond

Re:Two Free Years!

[MoarSauce123]

Not only that, they got apparently 15 million SSNs...what good does a two year protection do when the identity is hosed for life? Companies that are that careless with personal data should be mandated to provide free identity theft protection for life. Even more important, why the heck does Experian need the SSN? Did they plan to pay into the federal retirement accounts of people? The rampant abuse of the SSN needs to stop!

Phew, I was worried there for a second.

[EmagGeek]

Thank God my Credit Card numbers weren't breached, because those are impossible to cancel and replace. I'm so thankful it was only my Passport number, Driver's License number, social security number, full legal name, birth date, and address that were stolen, because those are a snap to cancel and replace.

Re:Phew, I was worried there for a second.

I take it you are a foreigner who doesn't understand sarcasm.

Re:Phew, I was worried there for a second.

I was born in Sarcastistan, you insensitive clod!

Re:Phew, I was worried there for a second.

[markdavis]

Yep, and you know, it was so necessary for that easily changed and security irrelevant information to be recorded and saved on their servers FOR YEARS.

Re:Phew, I was worried there for a second.

[easyTree]

I was born in Sarcastistan, you insensitive clod!

So.... you were...(nt?) born there? I'm confused.

Re:Phew, I was worried there for a second.

[easyTree]

What better investment could they make when they need future control of their stock price?
[x] Blends in with their nominal business practices?
[x] Will have drastic effect on their stock price?
[x] Can be blamed on (unknown! :))) third party?
[_] Will have a permanent effect on the stock price?
[x] Should do it?

</paranoia-mode>

inadequate

[harvey+the+nerd]

They need to make more reparations than that, as actual remedy, compensation and punitive damages with a positive, non govt funding goal.

In corporatese, "I'm sorry" are empty words with no meaning without restitution and money.

Re:inadequate

[gstoddart]

And as long as they have no legal liability for keeping this stuff safe, an insincere "I'm sorry" is all you will ever get. If corporations can hold your private data and have no consequences for having shit security, they will continue to do so.

For a credit agency to store that much personally identifying information and be hacked tells me that agencies like this need to have some pretty severe penalties for shit like this ... because they have pretty much everything required to steal your identify.

If we're going to entrust this data to these entities, we should sure as hell make certain we can actually trust them with it. And I would say that Experian has more or less demonstrated themselves to be incompetent to hold this information.

It really is time to stop letting companies treat this as "their" data, and realize they have an obligation to safeguard our data, and to be legally responsible when they fail to do so.

Re:inadequate

[ITRambo]

There is no remedy for laziness/ineptness. Anything done will probably be short term due to management priorities changing over time. Experian has been advertising their credit monitoring services on TV in the US. A bit ironic, I think.

Re: inadequate

[Sarten-X]

We do have a choice. We can either trust others with our information, or we can live without the modern services they provide.

You can live without telephone or Internet service. You can live without credit. You can live without running water, electricity, cable TV, or any other privatized "public" utility. There's your alternative choice.

For most of the last century, America has been opposed to widespread government control. Out of a fear of "socialism", we campaign against raising the government-supplied standard of living. We say we don't want the government to take away our choice, without realizing that the only other option in the choice we have is to return to a standard of living set shortly after the Civil War.

Re:inadequate

[Anne+Thwacks]

Freeze their assets for the duration of their prison term.

I presume by "assets" you mean their "wedding tackle" - yes freeze with liquid Nitrogen.

Re:inadequate

[wasteoid]

How about sourcing the credit / identity from something other than the data elements that keep getting stolen - and I'm not delusional enough to suggest biometric data.

Re:inadequate

[HiThere]

But what are you suggesting?

The problem is, if they can transmit the validating information, it can be stored and copied...and thus lost. That's the real reason all biometrics are an inherently bad idea.

Identity Theft

[Jason+Levine]

As an identity theft victim, let me say that "no credit card or banking data was stolen" means nothing. With name, address, SSN, and birth date compromised (as well as driver's license and passport numbers), anyone can now open new lines of credit in the names of any of the 15 million people whose information was accessed. And the two years of "credit monitoring" will do almost nothing. Fraud alerts won't either - those are voluntary.

My recommendation if you are one of the 15 million people is to freeze your credit. This will stop ANYONE from opening a new line of credit under your name unless you first thaw your credit file. It's a royal pain in the rear when you need to do things like refinance a loan, but it's better than having a collections agency banging down your door because you owe $5,000 on a credit card that "you" opened.

Re:Identity Theft

[gtall]

I second this advice, I did this several years ago. It should be noted, however, that the three credit record agencies cannot prevent someone from getting credit in your name. The system relies on the intuition, and it is only that, that any self-respecting credit issuing entity will require a credit record (and a good one, at that) before issuing credit. If Joe's Bank and Bait Shop wants to issue someone a credit card in your name and doesn't give a flying rat's ass about your credit history, they are free to do this.

There is no national system to prevent credit from being authorized in your name, even to aliens from other worlds.

Re:Identity Theft

[drinkypoo]

It should be noted, however, that the three credit record agencies cannot prevent someone from getting credit in your name.

Yep. A shady car dealer in Nevada City gave an illegal with my SSN written on a check cashing card credit in my name, and now it's on my credit report. The whole idea that this can even happen is proof that the system is broken. I shouldn't have to appear to fight this, no court should have granted a judgement on the basis of a CHECK MART card with my SSN written on it in pen.

Re:Identity Theft

[cdrudge]

It should be noted, however, that the three credit record agencies cannot prevent someone from getting credit in your name.And apparently for 15m people, at least one of the three credit record agencies may be assisting others getting credit in your name...

Re:Identity Theft

[mrchaotica]

My recommendation if you are one of the 15 million people is to freeze your credit.

You know the best part? The best part is that in order to do that, you get to PAY A FEE TO THE SAME GODDAMN FUCKERS WHO LOST THE INFORMATION IN THE FIRST PLACE!

1. Step 1: Collect everyone's personal information
2. Step 2: Lose said information, forcing the victims to freeze their credit
3. Step 3: Charge the victims $5-10 each to do that freeze, and another $5-10 each time each victim needs to thaw or re-freeze it, forever
4. Step 4: profit, over and over again!

(There is no "..." step; this is actually Experian's business plan!)

Re:Identity Theft

[easyTree]

There is no national system to prevent credit from being authorized in your name, even to aliens from other worlds.

Agreed; indeed both my immediate neighbours were recently granted credit and they're gelatinous CO2-respiring life-forms from out of town. Curiously, I've been repeatedly turned down, despite paying-off every one (of fifteen credit records) loan, hp agreement etc. with only two missed payments since my credit history began.

I'm more interested in their ability to perform their core task of determining someone's creditworthiness than anything as ancillary as preventing credit theft although that is a close second.

It disturbs me that these agencies are seen to be infallible (certainly with respect to credit-scoring) and are free to operate without oversight, despite there being no logical manner to derive their decisions from their available data!

Surely, someone (else, tm) should be looking in to this given that ability to obtain credit is so crucial to one's flexibility in the modern world.

Re:Identity Theft

[operagost]

Yours isn't the scenario we're talking about. If your credit record were frozen, they wouldn't be able to pull a report and thus wouldn't be able to put a ding on it. If you did freeze it and they let some random person put this on it, you should be suing that credit agency for libel.

Re:Identity Theft

[Jason+Levine]

Don't forget that you need to pay each of the three major credit agencies. Also, if you're married and applying for a loan, your spouse and you need to pay separately. If my wife and I want to thaw our credit, it costs us $30. Awhile back there was a bill in Congress that would have made it free to freeze your credit, but the credit agencies, credit card companies, etc all lobbied against it. They see frozen credit as lowered profits (since you can't open new lines of credit on a whim). The rash of identity theft, to them, is just a corporate write-off at worst.

Re:Identity Theft

[Alumoi]

With name, address, SSN, and birth date compromised (as well as driver's license and passport numbers), anyone can now open new lines of credit in the names of any of the 15 million people whose information was accessed.

And that's why in backworld countries you are required to provide some government issued photo ID when you open a bank account. Just saying.

Re:Electronic footsteps on the Breaches

[jedidiah]

...there won't even be the same sort of mass outrage associated with this. Only a few geeks will even notice or pay attention. Making it even less likely that anything will change.

8ts

[Impy+the+Impiuos+Imp]

Experian Breached, 15 Million T-Mobile Customer's Data Exposed

The apostrophe should go after the 's'.

Re:8ts

[sexconker]

No, it should go between the two esses.

Experian

[internerdj]

One of the three major credit rating services? I'm a little bit impressed that this breach was limited to only everyone who has ever applied for T-Mobile service.

Re:Experian

[jhecht]

How do we know it WAS limited to people who applied for T-Mobile service? It took Experian two years to find the breach in the first place.

Re:Experian

[wasteoid]

It wasn't limited to T-Mobile customers, although those accounts were the majority of what was stolen from Experian.

Fuck You, Experian

[drinkypoo]

Guess what they're not giving you? Your actual credit report. You just get the abbreviated version, so you can't actually look it over and see if this generally corrupt industry is fucking you. They will, however, sell you your credit report at a special members-only price. So what's happened here basically is that Experian is getting free advertising and T-Mobile is going to get off without punishment.

Fuck you Experian, and fuck you T-Mobile.

I already said fuck T-Mobile since they cancelled the PAYG plans I've been using, but fuck them twice now.

Are there ANY US mobile providers from whom I can buy a PAYG SIM which are not total fucks?

Re:Fuck You, Experian

[swb]

None of this should be surprising. The credit reporting services are in business to please their customers, the credit issuers. People who apply for credit are part of the product.

I would even go so far as to argue that the credit reporting agencies have an incentive to make your credit report as bad as possible, since the worse the report, the higher the interest rate you get charged for borrowing money. And the good news for creditors is that it doesn't force them to be more competitive, since they're all competing against the same view of your creditworthiness. Erring on the side of reduced creditworthiness lets creditors charge a higher interest rate for a risk that isn't elevated.

My conspiracy minded side says this is why erroneous credit data is hard to remove and why credit reporters want to use non-financial correlates (like driving records) as part of your credit score -- something you can't ever get removed yet makes your credit report look marginally worse, thus making you a more profitable creditor via higher interest rates.

Re:Fuck You, Experian

[drinkypoo]

So far, I've had good luck with ting.com

They only support 2G for my phone, but I might try them for a non-internet plan since that's effectively what I have now.

Re:Fuck You, Experian

[operagost]

Each of the major credit reporting agencies must supply you a complete credit report annually upon request. Come on, this is not new.

https://annualcreditreport.com...

Re:Fuck You, Experian

[ftobin]

Lenders want to lend. If the credit-worthiness data does not correlate well with ability to repay, lenders cannot efficiently lend and will look for a different service. The number of participants in this space might make this a slow change, but normal market competitiveness has the opportunity to have effect.

Re:Fuck You, Experian

[Sir+Holo]

Each of the major credit reporting agencies must supply you a complete credit report annually upon request. Come on, this is not new.

https://annualcreditreport.com...

Technically, that is true. I've got mine in the past this way. But is there a penalty if they do not comply?

The Credit Agenccies make it a total pain to get the free report, and try to up-sell you crap left and right. I've had them give me "high traffic; try again later" a few times, too.

I ordered mine, on paper, two months ago. None have yet arrived.

Re:Fuck You, Experian

[slinches]

Are there ANY US mobile providers ... which are not total fucks?

No.

There are only varying degrees of total fuckishness and, as far as I can tell, T-Mobile is the best of the bunch. Maybe you can find a trustworthy local MVNO, but even then most of the money you pay them will still be supporting one of the big 4.

Re:Fuck You, Experian

[Anne+Thwacks]

Lenders want to lend. If the credit-worthiness data does not correlate well with ability to repay, plausible deniability is a perfectly adequate substitute

FTFY

Re:Fuck You, Experian

[swb]

If the credit-worthiness data does not correlate well with ability to repay,

None of this changes the desire of the lenders to charge more profitable interest rates nor the desire of credit reporting agencies to have their scoring seen as more profitable. Since lenders are inherently risk-averse and profit-oriented, they have an incentive to lend at the interest rate that represents the highest possible risk and highest possible profit.

There's almost no way for a credit reporter to lose by reporting clients as worse risks than they really are. If a lender has a loan go bad and they see that the borrower was assigned the worst of three possible credit scores, they can't blame the credit reporting agency who reported it. If a loan was repaid correctly, the credit reporting agency was ALSO right AND the lender made more money.

Re:Fuck You, Experian

[msimm]

Are there ANY US mobile providers from whom I can buy a PAYG SIM which are not total fucks?

Cricket Wireless (subsidiary of AT&T) and MetroPCS (partnered with T-Mobile) provide pay-as-you go service for both companies.

I've used both since I bought a off-contract phone and had no problem with either. I settled with Cricket because of coverage where I'm living in central Texas.

Re:Fuck You, Experian

[drinkypoo]

Yeah, I ordered one once, I never got it, I didn't bother to try again. It's all just a scam to sell you shit.

Requirement to be forgotten

One of the best things that can be done to prevent data breaches is require that data be deleted after a certain time. I don't see a good reason why 15 million customers should have their data retained after the credit check is complete. It won't stop breaches, but it would limit their scope. There also needs to be severe penalties for negligent security or failing to notify customers in a timely manner. Better yet, eliminate social security numbers for identification altogether outside of social security and (maybe) tax purposes. And it's no surprise that a credit bureau was attacked. They're gold mines of information waiting to be compromised. I'd like to see particularly strong regulation of these companies. Consumers don't really get to opt in, but this personal information is stored and can be compromised easily. That doesn't seem fair at all to me.

Re:Requirement to be forgotten

[Archwyrm]

Does it really matter how long the data is being stored when it's being actively stolen over the course of two fucking years?

Re:Requirement to be forgotten

[ftobin]

One of the best things that can be done to prevent data breaches is require that data be deleted after a certain time. I don't see a good reason why 15 million customers should have their data retained after the credit check is complete.

Credit scores reasonably include attempts to acquire more credit (which is what most phone contract really are, even if month-to-month), so it wouldn't be possible to delete data after a credit check is complete.

Note: it is possible escape the credit-check part of the equation by using pre-paid phones.

Re:Requirement to be forgotten

[david_thornley]

The credit bureaus need to keep identifying information on everyone. Otherwise, they couldn't keep credit ratings up to date, and they couldn't even give my score to anyone as they wouldn't know that that was my score.

It appears that what was leaked was identifying information, which they really have to keep.

My Social Security number is fine for identifying me. It really, really sucks at verifying that I'm me. The idea that someone who knows the number I am required to tell many different people must be me has to go.

The big problem is that institutions don't actually verify who they're dealing with before granting credit, talking to credit bureaus, working with collection agencies, and so on. They accept identification at face value. If they required some sort of verification (and I'm not saying that's necessarily easy to work out), there'd be no problem.

It's really unfortunate that this is known as "identity theft" rather than "fraudulent misrepresentation".

so there will be even more iphones on craiglist?

[known_coward_69]

seems every year the thing to do is open a T-Mo account, "buy" an iphone and resell it before it's bricked for not paying the bill

Re:Electronic footsteps on the Breaches

[rmdingler]

...there won't even be the same sort of mass outrage associated with this. Only a few geeks will even notice or pay attention. Making it even less likely that anything will change.

Quite right. Even now (as millions of hard-earned credit ratings are threatened) the school shooting, the Vatican's elaboration on the Pope meeting Ms. Davis, and latest thing Trump said are bigger news stories.

There is ONLY one thing to do!

[jjhues7676]

Go to all 3 reporting agencies and lock them down. It only takes a little time per agency and will save you years of headaches later. If you need to apply for credit unlocking is just as easy. You can choose a time frame or a specific company to allow through.

Re:There is ONLY one thing to do!

[CimmerianX]

"Fees vary based on where you live, but commonly range from $5 to $10'

Wonderful how these Aholes can charge us to freeze our credit, and then charge us to unfreeze it.

Experian Credit Breach

Experian is offer a two year free credit monitoring in connection with the breach of their system. In order to sign up for the two year credit monitoring they require you to provide your full identity; SS number, birth date, etc. Isn't that just the information that was just compromised in their system??? How do they think they can be trusted??? This does not resolve the problem of their lack of network security with sensitive information.

Make PII Go Away

[Archwyrm]

It is high time the abuse of the Social Security Number ended. SSNs should be used for one thing: Social Security. Using a single "secret number" is an archaic system that for increasing numbers of people is no longer secret. Let's not forget all your other details which are used to identify you but aren't really that secret (your full name, your birthday, etc).

This information is used for identifying a person or proving identity so it's an authentication problem. We can do better! We have public key encryption. The government issues you a key pair (say, embedded into a photo ID, which we all have already) and now you can prove your identity without giving someone an irrevocable secret.

Authentication is also two factor: You have an ID and you know a PIN (or passphrase). If you lose your card, then your identity is not immediately compromised because it is protected by your PIN. This gives you time to have the gov't revoke your old key pair and issue you a new one.

In the case of the credit bureaus (I think we can all safely assume credit isn't going away any time soon), they associate your credit history with your public key and nothing else. If the key is revoked (by the gov't), then they move your file to the new key. No one can take out credit using the old key. In fact, any attempt could be reported to law enforcement.

The entire US Department of Defense has been using a system like this for years now and has by and large done away with things like passwords and hand signatures, especially for the things that matter most.

Is this completely foolproof to prevent someone impersonating you? No, but it is much better than having your SSN and other PII out on some forum where just anyone can use it for nefarious purposes and would be well worth its cost and complexity. The greatest obstacle is the credit bureaus having nothing to gain in actually protecting their "customers'" data because then to whom will they sell credit monitoring?

Re:Make PII Go Away

[david_thornley]

Most people can deal with a number on a piece of paper. Most people are going to have real problems with handling a private key, having it available whenever desired while keeping it secret even if their computer is taken over and not losing it.

Re:Make PII Go Away

[Archwyrm]

The key pair is embedded on a chip in your ID. The circuitry does the decryption, so the private key is never exposed to any computer that it is used with. This is also the point of the passphrase/PIN. The chip won't decrypt without it. This is how the smart cards used by DoD function and they double as a military ID (which is supposed to be kept on the owner at all times practical). They really are Idiot Resistant.

The drawback is that most computers these days do not have a smart card reader. USB would be better but doesn't not fit nicely into something as thick as a credit card.

soon we'll all be Anonymous!

All told, I have 17,300 years of credit monitoring due to various corporate negligence.
There's no way they're going to steal my identity again!

Still too much uncertainty of the size of exposure

[idontgno]

"15 million". Huge number. It usually takes the power of the US Federal Government to screw up this big.

But one thing is not clear from TFA, let alone from the slightly misleading TFS.

This is an Experian hack, not a T-Mobile hack. What makes any "expert" think the exposure is limited to someone who interacted with T-Mobile? Experian is one of the awful ubiquitous unavoidable facts of life, much like the Government (see above). If you have participated in any non-cash financial transaction, they probably have a file on you.

What are the particulars of this breach that make it strictly an "Experian interacting with T-Mobile" risk? Experian is huge, and if you're counting on some kind of strict internal data partitioning within the company to restrict the attack area to "T-Mobile applicants" you're too naive to sit with the grown-ups.

Seriously. Why the fuck isn't this a maximal-sized no-holds-barred every-file-Experian-holds breach?

Good news, everyone!

[operagost]

Good news everyone! The bad guys only got things like your SSN, which can never be changed and which will haunt you forever, but not the credit card numbers which can easily be replaced and you probably wouldn't be liable for any illicit charges on, anyway.

This is a good thing, and inevitable.

[choke]

These breaches are a good thing, because they are forcing evolution.

Something we in IT have always known, is that security cannot be solely applied through obscurity. There will always be opportunity, tools and motivation that expose it.

This has never translated into other information sensitive disciplines, and right at this moment we have a tremendous amount of fragility in our financial and personal identification infrastructures because there is no concept of authentication.

That has to change. More of these breaches, which are not in and of themselves exceptions but rather the rule, will raise awareness to the reality of the situation - that attempting to protect oneself by hoping that ever more widely distributed sensitive information isn't disclosed, is not feasible.

Re:This is a good thing, and inevitable.

[Jason+Levine]

No matter how many times these breaches happen, we won't "evolve" a response because there are big financial companies whose profits rely on accumulating and easily accessing our credit files. Those companies will use their lobbying might to kill any reform bills that even slightly smell like they might slightly inconvenience them in the pursuit of protecting people. They might allow some useless "feel good" legislation to pass, but you can be sure they won't let any consumer protections "evolve" because that would mean less profits. So what if 15 million more people become identity theft victims? They can just write off the credit monitoring service they "generously" provide and that's the end of that. (For them. For the 15 million people, the pain is just starting.)

No Ting for Me

[drinkypoo]

"numbering services not available for that area"

whatever the shit that means

Perfect irony

[argStyopa]

I went to the Tmobile site and what happened?

I got a popup saying "T-Mobile wants to know your location"

How fucking ironic.

2 years?

[DewDude]

It seems to me if it's been going on for 2 years, Experian hasn't been doing the job to secure our data. They should be facing some criminal charges or fines over this. Better yet; they should shut down. This is very gross incompetence. What's the two years going to do? "Oh, someone is using your data. LOL. Sorry." That's pretty much all they're going to do. They're not going to help solve a problem they are responsible for. They need to be held responsible; by someone. 2 days I could understand; 2 years is just plain incompetence.

Re:T-Mobile breached?

[willworkforbeer]

Geez, the Magenta Mafia downmodding is harsh... But I stand by it, because as we know, Real Men (TM) use Sprint, just to prove they can suffer like Sisyphus and by God take it like men.

Re:Electronic footsteps on the Breaches

[lgw]

I can at least understand the shooting becoming the top story for a while (if it bleeds it leads), but it's obvious how far the news media has fallen when "the Pope is Catholic" is headline news.

The information actually stolen is far worse...

[ethanms]

The Washington Post reports that T-Mobile's Credit Partner, Experian, has been breached revealing names, addresses, Social Security numbers, birth dates, driver's license and passport numbers

...

Both parties were quick to point out that no no credit card or banking data was stolen as part of the attack

Great, so the banking and credit card data--which would only lead to fraud for which the individual would not be held accountable--wasn't stolen. But all the most valuable data for applying for fake credit and identity theft was! Much harder to fight off fake accounts then fake charges on a valid account.

This should go beyond just two years of free monitoring... what do I do when someone is out there impersonating me? Hope I have an alibi when they come looking for mr, but that's sort of tough to do when you're a basement dwelling hermit...

Re:The information actually stolen is far worse...

[Jason+Levine]

This should go beyond just two years of free monitoring... what do I do when someone is out there impersonating me? Hope I have an alibi when they come looking for mr, but that's sort of tough to do when you're a basement dwelling hermit...

I'm an identity theft victim, albeit a lucky one who caught it early before too much damage was done, and it was scary when someone opened a credit card in my name. What's scarier, though, is if a criminal is arrested and gives your name/SSN/DOB. I used to read the blog of someone who was going through just that. He was fired from his job because he failed a background check, couldn't find a new job, and had police stalk him because they considered him a criminal (despite the fact that "his" mugshot looked nothing like him). Even when he got one department to remove his "conviction" from their records, it just flowed back from another police database. It took years before anyone would listen and years more before he started to make any real progress.

Unfortunately, you can't stop this with a simple credit freeze like you can stop normal identity theft. In fact, there's no way to stop this at all. Any criminal with your name/SSN/DOB could give that information when they are arrested and pass their arrest record on to you.

Re:The information actually stolen is far worse...

[HiThere]

The hideous thing is that identity theft doesn't even need to be intentional. My wife got hit with the bill for a MAN who died in a hospital in a different city. They had the same name, but no other similar characteristics. And it STILL took years to fight through. The bank the hospital used sold the debt to a collection agency (well, more than one, actually) who wouldn't even take a death certificate as proof that she wasn't him.

Say something bad about the financial credit system and I'll believe it without checking, after that experience. Say something good, and you'll need to prove exactly what you mean and the limits of your claim and provide very good evidence as to why I should believe you.

Re:The information actually stolen is far worse...

[Cederic]

The bank the hospital used sold the debt to a collection agency (well, more than one, actually) who wouldn't even take a death certificate as proof that she wasn't him.

Why bother to prove it to them? You've told them, they ignored you, what are they going to do next? Absolutely nothing unless they want suing into oblivion.

Re:The information actually stolen is far worse...

[HiThere]

Because it goes into your credit history...and to get them to stop calling every half hour. (I exaggerate, but that's what it felt like.)

Re:The information actually stolen is far worse...

[Cederic]

If it goes in your credit history, they've told lies about you. Sue them.

If they keep harassing you, ask the police to arrest them for harassment.

Re:The information actually stolen is far worse...

[HiThere]

I don't have a lawyer on retainer, so suing them would have cost me quite a bit. And it did, eventually, get straightened out. (I *was* thinking of suing them before we finally straightened things out, though. But collection agencies are in a different state...if they tell you where they are. They intentionally don't make things easy, as if you just pay them off they win.)

Re:Still too much uncertainty of the size of expos

Experian partitioned clients apart from one another. The breach hit their T-Mobile systems, which is why they are mentioning it only affects T-Mobile customers. But, you are right not to trust Experian, if it happened to one of their systems it could be happening as we speak to any other of their clients. It could also be happening to any of the other credit partners or banks as well and we'll find out in the coming years. My father used to work for a large bank, he would always tell me stories of breaches that occurred like people faking checks who were from Nigeria, etc. And, I asked why the banks weren't more proactive with their security procedures. He said it was because they do a cost analysis on and determine that there is an acceptable amount of risk, because securing your accounts is costly compared to the losses. I think that as these breaches increase in frequency in the digital age, that cost benefit analysis graph is going to turn upside down and not look as rosy anymore.

NOT TWO YEARS

I read the Experian notification of the breach.

The _hack_ occurred over a "limited period of time". The _data_ that was exposed was from a two year time period.

So, no one has been hacking Experian for two years continuously.

Odds are really good that I'm affected, and believe me I know this doesn't make any difference :)

Passport numbers?!?!?

[cayenne8]

I'm puzzled at one blurb in the synopsis...PASSPORT numbers?

WTF would they have passport numbers for a T-Mobile phone?!?

It seems strange they'd even have a slot to store US passport numbers, considering that the vast majority of US citizens don't have or need a passport, eh?

That just struck me as odd that they'd have this stored associated with a mobile phone credit application.

Re:Passport numbers?!?!?

[cayenne8]

How can one not have a passport?

Well, not everyone travels out of the country, I'd dare say a LARGE majority of folks never leave their state much less leave US soil.

If you're not leaving the country, why would you need a passport? And until the past couple years, you didn't even need a passport to run to Mexico or the Caribbean for the most part, just a drivers license and copy of your birth certificate, but after 9/11 that changed and you now need a passport. But I haven't left the country since those rules came to be, so I don't have a passport and don't foresee a need for one any time soon.

Re:Passport numbers?!?!?

[rwa2]

Yeah, looked this up recently. Only about 1/3rd of US citizens even have a passport issued ever. That's no guarantee that they've even used it.

Re:Passport numbers?!?!?

[cayenne8]

Thanks for the explanation. It's interesting how different this is in the U.S. compared to Europe. It's propably a consequence of the U.S. being such a vast country and almost everyone having a driving licence.

Interesting. So, I take it many more people in Europe have passports? If so, I'm guessing because some of the countries over there are so small and from what I understand in one day you can drive and cross 2 or more country borders.

For some reason, however, I'd thought with the EU formation, that you could freely travel between those countries over there pretty much like we do between states here.

Also, are you saying that the majority of people in Europe don't have drivers licenses?? How do they all get around if they don't' have cars to drive?

Re:Passport numbers?!?!?

[Applehu+Akbar]

The universal document in the US is the driving license. Even people who don't drive get an ID card issued through the licensing agency.

Re:Passport numbers?!?!?

[chilenexus]

Also, the countries that get the highest number of American visitors didn't require a passport to visit until after the 9/11 fiasco. I've been to Mexico and Canada several times each where all that was needed was a drivers license. Today you need a passport to do the same.

Re:Passport numbers?!?!?

[Albanach]

They have this thing where they demand a second form of ID - they ask for a driver's license number, or a passport number. I protested and they settled for a student ID number, which in hindsight was a smart move.

Re:Passport numbers?!?!?

[Cederic]

from what I understand in one day you can drive and cross 2 or more country borders

In one step I've left one country, crossed another and ended up in a third.

But there are plenty of places in Europe where the quickest route from country A to B is via C, some countries so small that it takes a bad traffic jam to stop you crossing lengthways in a morning and generally it's pretty common to visit neighbouring countries on holiday, or even to go shopping or to visit friends.

Re:Passport numbers?!?!?

[khellendros1984]

Traveling between countries in Europe is generally similar to traveling between US states (at least at the borders I've crossed). You would still want to carry internationally-recognized ID, and a passport would fit that purpose.

and from what I understand in one day you can drive and cross 2 or more country borders.

Yep. Imagine driving across the Eastern states. There's been more than one day in my life where I've briefly visited three countries.

How do they all get around if they don't' have cars to drive?

Public transportation is pretty awesome, when well-implemented. A lot of people in Europe have cars, but a lot of them don't. If trains, streetcars, buses, and such suffice to get you where you need to go, why pay for the upkeep of your own vehicle?

Thank God

[Iniamyen]

Thank God that only things like Social Security numbers were stolen - easily replaceable things like credit card numbers are still safe. Whew!

Re:Thank God

[Jason+Levine]

Whenever I talk to my father about my identity theft and subsequent credit freeze, he tells me I should just change my SSN. Apparently, you *can* do that. However, it's not an easy process and I'd need to contact anyone who legitimately* has my SSN to update that. Once again, a criminal can do damage in one hour that the victim will be cleaning up for years.

* SSNs shouldn't be used as unique identifiers at all so read "legitimately" to mean "they shouldn't need it, it shouldn't be a unique identifier, but the system is set up to require it and good luck trying to force them to change."

Oh boy.

[ArylAkamov]

Shit. I guess this might have something to do with a number of places telling me my SS# is either invalid or "has multiple names attached" (Why are multiple names attached to a single number even allowed? I would think it should return an error since there is no legitimate use for multiple names tied to a single number).

Re:Oh boy.

[rickb928]

"there is no legitimate use for multiple names tied to a single number"

They are called 'aliases'. I have three IRL, all caused by misspellings in the past.

One on a store credit app, somehow they could not get my five-letter last name correct. Ignats.

One on a debt collection report for a university in a state I had never set foot in. When I asked for my academic records and diploma in exchange for a $200 bookstore bill, they relented and only called me every three years.

One on a mortgage app, which to this day persists despite being changed. They sold my data before the loan was even approved.

Oh, and I use both my full first name and the contracted version that you can figure out. Maybe a fourth alias?

There are lots of reasons to have more than one name recorded for your social security number and not all of them are within your power to even correct. Data has a life of its own./

Re:Oh boy.

[ArylAkamov]

Thanks for the explanation, nobody else I have asked has been able to explain to me why there can be multiple names on a single SS#.

What have you done to try and correct this?

I went to the social security office and waited in line for ages only for them to tell me that this isn't their department (What?) and they can't help me. The only advice I have received is to file a police report and expect nothing to be done unless this starts seriously affecting my life.

Re: Oh boy.

[rickb928]

My sister and I have SSNs that are one digit apart; sequential; lsd.

This causes problems. We cannot ever have accounts at the same damned bank, nor the same sort of credit at the same issuer.

And no, this should not be a problem. Data is data.

Re: Oh boy.

[rickb928]

That is a good as it will get. SSA can't prevent those errors or criminal acts.

How about

[TsuruchiBrian]

How about 2 years of high credit scores.

No big deal

[tehlinux]

>revealing names, addresses, Social Security numbers, birth dates and driver's license and passport numbers for any customer

but no credit card numbers or banking data (other than your names, addresses, Social Security numbers, birth dates and driver's license and passport numbers)

>Experian is offering credit for two free years of identity resolution services and credit monitoring

Were you really planning on living longer than that?!

The Unforgiven

[Sir_Eptishous]

When did Lars Ulrich start working at T-Mobile?

Re:Still too much uncertainty of the size of expos

[idontgno]

Ah, "dedicated accounts." That's just exactly like physical isolated network and storage architectures, right? So that if a cracker has, let's pretend*, a whole two years to poke around, they can't get through the impenetrable internal partitions between accounts.

*facepalm*

Air gap or GTFO.

*And by "pretend", I mean "since they actually had two years undetected"...

My "Experiance"

I am posting anonymously because my company just cancelled a project with Experian. It started bad, and got worse and worse.

You may not know this, but Experian is trying to start a mailing list service, like Mailchimp. I work for a large broadcasting company, and we signed up to switch to their mailing lists. What scared the crap out of me is that we weren't just giving Experian an email address and subscribe/unsubscribe information for each mailing list. We were handing over pretty much all of the demographic data we had collected.

Think about this for a minute. Experian, the credit rating company, was being given information about your personal likes and dislikes. I could already imagine them saying, "This person likes rap music. Lower their credit rating." or, "This person only reads conservative news. Looks like a good ol' boy to me."

Fortunately, for now, Experian turned out to be totally incompetent. Their "API" was a joke, and the beautiful, fully featured front-end interface that the had "demonstrated" turned out to not exist at all. We dropped the project after converting one station, and now we are fighting to get out of the contract we signed.

Re:T-Mobile breached?

[cbhacking]

Does this actually have anything to do with T-Mobile? From the sounds of it, it's Experian that was breached, and the attackers mostly (though not exclusively) took TMo subscriber info. TMo's own security wasn't compromised.

I suppose you could argue that TMo should have gone with somebody more responsible / secure than Experian, but is there actually any such entity that provides the necessary services? As low as Experian sets the "not complete shit" bar, are the other credit agencies actually any better? They all suck.

It would be nice to have a not-shit option here, of course. Naively, one would expect the free market to take care of it, but in practice there seems to only be the three agencies, all in a race to the bottom, with nobody actually interested in providing good service instead.

Free credit reports for 6 years

[alteran]

It's now been 6 years since I've had to pay for credit reports because of all the breaches my data has been involved in.

well

[superwiz]

At least, they have a sense of humor about it. "But no credit card numbers were stolen"? Who would need that after they have your SSN, full name, address, birthday, driver's license and PASSPORT NUMBER? That's enough to have any credit card you want. Wait, they don't have a sense of humor, do they? They are not kidding, are they? They really do think this cloud has a silver lining? Oh, what the hell. If the Secretary of State can send emails through an unsecured server, and the IRS has a 6-month's data retention policy and can get away with claiming 6 simultaneous employees' harddrives crashed right after receiving subpoenas, maybe Experian does get to get away with "but no credit card numbers were stolen" bull shit.