Slashdot Mirror

← Back to Stories (view on slashdot.org)

Experian Breached, 15 Million T-Mobile Customer's Data Exposed

Posted by samzenpus on from the have-some-info dept.

New submitter Yuuki! writes: The Washington Post reports that T-Mobile's Credit Partner, Experian, has been breached revealing names, addresses, Social Security numbers, birth dates and driver's license and passport numbers for any customer who has applied for device financing or even services from T-Mobile which required a credit check. Both parties were quick to point out that no no credit card or banking data was stolen as part of the attack. The attack started back in September 2013 and was only just discovered on September 16, 2015. Both Experian and T-Mobile have posted statements on their websites and Experian is offering credit for two free years of identity resolution services and credit monitoring in the wake of the breach.

29 of 161 comments (clear)

  1. Two Free Years! by Anonymous Coward · · Score: 5, Insightful

    Two free years of credit monitoring after the bad guys had two free years of access! Great work, Experian!

    1. Re:Two Free Years! by Bob+the+Super+Hamste · · Score: 2

      I just want to know if the credit monitoring is going to be through Experian? Also do I get to decide when the credit monitoring starts as I already have a couple of other services monitoring my credit and I don't think I need another concurrent one. It would be nice if these things stacked instead of ran concurrent.

      --
      Time to offend someone
    2. Re:Two Free Years! by CaptainLard · · Score: 4, Insightful

      I currently have 3 separate free credit monitoring services from prior breaches in other companies. I'm confident that I'll have perpetual free credit monitoring since the credit monitoring lobby is now rich enough to force congress to maintain the status quo.

    3. Re:Two Free Years! by squiggleslash · · Score: 2

      I'm sure if we protest enough, they'll also give us a coupon for 20% off at Bed, Bath, and Beyond

      --
      You are not alone. This is not normal. None of this is normal.
  2. Phew, I was worried there for a second. by EmagGeek · · Score: 5, Insightful

    Thank God my Credit Card numbers weren't breached, because those are impossible to cancel and replace. I'm so thankful it was only my Passport number, Driver's License number, social security number, full legal name, birth date, and address that were stolen, because those are a snap to cancel and replace.

    1. Re:Phew, I was worried there for a second. by Anonymous Coward · · Score: 3, Insightful

      I take it you are a foreigner who doesn't understand sarcasm.

    2. Re:Phew, I was worried there for a second. by Anonymous Coward · · Score: 5, Funny

      I was born in Sarcastistan, you insensitive clod!

    3. Re:Phew, I was worried there for a second. by easyTree · · Score: 3, Funny

      I was born in Sarcastistan, you insensitive clod!

      So.... you were...(nt?) born there? I'm confused.

      --
      Requiem for the American Dream
  3. inadequate by harvey+the+nerd · · Score: 4, Insightful

    They need to make more reparations than that, as actual remedy, compensation and punitive damages with a positive, non govt funding goal.

    In corporatese, "I'm sorry" are empty words with no meaning without restitution and money.

    1. Re:inadequate by gstoddart · · Score: 5, Insightful

      And as long as they have no legal liability for keeping this stuff safe, an insincere "I'm sorry" is all you will ever get. If corporations can hold your private data and have no consequences for having shit security, they will continue to do so.

      For a credit agency to store that much personally identifying information and be hacked tells me that agencies like this need to have some pretty severe penalties for shit like this ... because they have pretty much everything required to steal your identify.

      If we're going to entrust this data to these entities, we should sure as hell make certain we can actually trust them with it. And I would say that Experian has more or less demonstrated themselves to be incompetent to hold this information.

      It really is time to stop letting companies treat this as "their" data, and realize they have an obligation to safeguard our data, and to be legally responsible when they fail to do so.

      --
      Lost at C:>. Found at C.
    2. Re: inadequate by Sarten-X · · Score: 2

      We do have a choice. We can either trust others with our information, or we can live without the modern services they provide.

      You can live without telephone or Internet service. You can live without credit. You can live without running water, electricity, cable TV, or any other privatized "public" utility. There's your alternative choice.

      For most of the last century, America has been opposed to widespread government control. Out of a fear of "socialism", we campaign against raising the government-supplied standard of living. We say we don't want the government to take away our choice, without realizing that the only other option in the choice we have is to return to a standard of living set shortly after the Civil War.

      --
      You do not have a moral or legal right to do absolutely anything you want.
  4. Identity Theft by Jason+Levine · · Score: 5, Informative

    As an identity theft victim, let me say that "no credit card or banking data was stolen" means nothing. With name, address, SSN, and birth date compromised (as well as driver's license and passport numbers), anyone can now open new lines of credit in the names of any of the 15 million people whose information was accessed. And the two years of "credit monitoring" will do almost nothing. Fraud alerts won't either - those are voluntary.

    My recommendation if you are one of the 15 million people is to freeze your credit. This will stop ANYONE from opening a new line of credit under your name unless you first thaw your credit file. It's a royal pain in the rear when you need to do things like refinance a loan, but it's better than having a collections agency banging down your door because you owe $5,000 on a credit card that "you" opened.

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    1. Re:Identity Theft by gtall · · Score: 5, Interesting

      I second this advice, I did this several years ago. It should be noted, however, that the three credit record agencies cannot prevent someone from getting credit in your name. The system relies on the intuition, and it is only that, that any self-respecting credit issuing entity will require a credit record (and a good one, at that) before issuing credit. If Joe's Bank and Bait Shop wants to issue someone a credit card in your name and doesn't give a flying rat's ass about your credit history, they are free to do this.

      There is no national system to prevent credit from being authorized in your name, even to aliens from other worlds.

    2. Re:Identity Theft by drinkypoo · · Score: 3, Interesting

      It should be noted, however, that the three credit record agencies cannot prevent someone from getting credit in your name.

      Yep. A shady car dealer in Nevada City gave an illegal with my SSN written on a check cashing card credit in my name, and now it's on my credit report. The whole idea that this can even happen is proof that the system is broken. I shouldn't have to appear to fight this, no court should have granted a judgement on the basis of a CHECK MART card with my SSN written on it in pen.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Identity Theft by mrchaotica · · Score: 4, Insightful

      My recommendation if you are one of the 15 million people is to freeze your credit.

      You know the best part? The best part is that in order to do that, you get to PAY A FEE TO THE SAME GODDAMN FUCKERS WHO LOST THE INFORMATION IN THE FIRST PLACE!

      1. Step 1: Collect everyone's personal information
      2. Step 2: Lose said information, forcing the victims to freeze their credit
      3. Step 3: Charge the victims $5-10 each to do that freeze, and another $5-10 each time each victim needs to thaw or re-freeze it, forever
      4. Step 4: profit, over and over again!

      (There is no "..." step; this is actually Experian's business plan!)

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  5. Re:Electronic footsteps on the Breaches by jedidiah · · Score: 2

    ...there won't even be the same sort of mass outrage associated with this. Only a few geeks will even notice or pay attention. Making it even less likely that anything will change.

    --
    A Pirate and a Puritan look the same on a balance sheet.
  6. Experian by internerdj · · Score: 4, Interesting

    One of the three major credit rating services? I'm a little bit impressed that this breach was limited to only everyone who has ever applied for T-Mobile service.

    1. Re:Experian by jhecht · · Score: 3, Insightful

      How do we know it WAS limited to people who applied for T-Mobile service? It took Experian two years to find the breach in the first place.

  7. Fuck You, Experian by drinkypoo · · Score: 5, Insightful

    Guess what they're not giving you? Your actual credit report. You just get the abbreviated version, so you can't actually look it over and see if this generally corrupt industry is fucking you. They will, however, sell you your credit report at a special members-only price. So what's happened here basically is that Experian is getting free advertising and T-Mobile is going to get off without punishment.

    Fuck you Experian, and fuck you T-Mobile.

    I already said fuck T-Mobile since they cancelled the PAYG plans I've been using, but fuck them twice now.

    Are there ANY US mobile providers from whom I can buy a PAYG SIM which are not total fucks?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:Fuck You, Experian by swb · · Score: 4, Insightful

      None of this should be surprising. The credit reporting services are in business to please their customers, the credit issuers. People who apply for credit are part of the product.

      I would even go so far as to argue that the credit reporting agencies have an incentive to make your credit report as bad as possible, since the worse the report, the higher the interest rate you get charged for borrowing money. And the good news for creditors is that it doesn't force them to be more competitive, since they're all competing against the same view of your creditworthiness. Erring on the side of reduced creditworthiness lets creditors charge a higher interest rate for a risk that isn't elevated.

      My conspiracy minded side says this is why erroneous credit data is hard to remove and why credit reporters want to use non-financial correlates (like driving records) as part of your credit score -- something you can't ever get removed yet makes your credit report look marginally worse, thus making you a more profitable creditor via higher interest rates.

    2. Re:Fuck You, Experian by ftobin · · Score: 2

      Lenders want to lend. If the credit-worthiness data does not correlate well with ability to repay, lenders cannot efficiently lend and will look for a different service. The number of participants in this space might make this a slow change, but normal market competitiveness has the opportunity to have effect.

  8. Requirement to be forgotten by Anonymous Coward · · Score: 5, Insightful

    One of the best things that can be done to prevent data breaches is require that data be deleted after a certain time. I don't see a good reason why 15 million customers should have their data retained after the credit check is complete. It won't stop breaches, but it would limit their scope. There also needs to be severe penalties for negligent security or failing to notify customers in a timely manner. Better yet, eliminate social security numbers for identification altogether outside of social security and (maybe) tax purposes. And it's no surprise that a credit bureau was attacked. They're gold mines of information waiting to be compromised. I'd like to see particularly strong regulation of these companies. Consumers don't really get to opt in, but this personal information is stored and can be compromised easily. That doesn't seem fair at all to me.

    1. Re:Requirement to be forgotten by Archwyrm · · Score: 2

      Does it really matter how long the data is being stored when it's being actively stolen over the course of two fucking years?

      --
      Fascism should more properly be called corporatism because it is the merger of state and corporate power. -- Mussolini
  9. Experian Credit Breach by Anonymous Coward · · Score: 5, Insightful

    Experian is offer a two year free credit monitoring in connection with the breach of their system. In order to sign up for the two year credit monitoring they require you to provide your full identity; SS number, birth date, etc. Isn't that just the information that was just compromised in their system??? How do they think they can be trusted??? This does not resolve the problem of their lack of network security with sensitive information.

  10. Make PII Go Away by Archwyrm · · Score: 4, Insightful

    It is high time the abuse of the Social Security Number ended. SSNs should be used for one thing: Social Security. Using a single "secret number" is an archaic system that for increasing numbers of people is no longer secret. Let's not forget all your other details which are used to identify you but aren't really that secret (your full name, your birthday, etc).

    This information is used for identifying a person or proving identity so it's an authentication problem. We can do better! We have public key encryption. The government issues you a key pair (say, embedded into a photo ID, which we all have already) and now you can prove your identity without giving someone an irrevocable secret.

    Authentication is also two factor: You have an ID and you know a PIN (or passphrase). If you lose your card, then your identity is not immediately compromised because it is protected by your PIN. This gives you time to have the gov't revoke your old key pair and issue you a new one.

    In the case of the credit bureaus (I think we can all safely assume credit isn't going away any time soon), they associate your credit history with your public key and nothing else. If the key is revoked (by the gov't), then they move your file to the new key. No one can take out credit using the old key. In fact, any attempt could be reported to law enforcement.

    The entire US Department of Defense has been using a system like this for years now and has by and large done away with things like passwords and hand signatures, especially for the things that matter most.

    Is this completely foolproof to prevent someone impersonating you? No, but it is much better than having your SSN and other PII out on some forum where just anyone can use it for nefarious purposes and would be well worth its cost and complexity. The greatest obstacle is the credit bureaus having nothing to gain in actually protecting their "customers'" data because then to whom will they sell credit monitoring?

    --
    Fascism should more properly be called corporatism because it is the merger of state and corporate power. -- Mussolini
  11. soon we'll all be Anonymous! by Anonymous Coward · · Score: 2, Funny

    All told, I have 17,300 years of credit monitoring due to various corporate negligence.
    There's no way they're going to steal my identity again!

  12. Still too much uncertainty of the size of exposure by idontgno · · Score: 4, Insightful

    "15 million". Huge number. It usually takes the power of the US Federal Government to screw up this big.

    But one thing is not clear from TFA, let alone from the slightly misleading TFS.

    This is an Experian hack, not a T-Mobile hack. What makes any "expert" think the exposure is limited to someone who interacted with T-Mobile? Experian is one of the awful ubiquitous unavoidable facts of life, much like the Government (see above). If you have participated in any non-cash financial transaction, they probably have a file on you.

    What are the particulars of this breach that make it strictly an "Experian interacting with T-Mobile" risk? Experian is huge, and if you're counting on some kind of strict internal data partitioning within the company to restrict the attack area to "T-Mobile applicants" you're too naive to sit with the grown-ups.

    Seriously. Why the fuck isn't this a maximal-sized no-holds-barred every-file-Experian-holds breach?

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  13. Re:Electronic footsteps on the Breaches by lgw · · Score: 2

    I can at least understand the shooting becoming the top story for a while (if it bleeds it leads), but it's obvious how far the news media has fallen when "the Pope is Catholic" is headline news.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  14. Re:Still too much uncertainty of the size of expos by Anonymous Coward · · Score: 2, Informative

    Experian partitioned clients apart from one another. The breach hit their T-Mobile systems, which is why they are mentioning it only affects T-Mobile customers. But, you are right not to trust Experian, if it happened to one of their systems it could be happening as we speak to any other of their clients. It could also be happening to any of the other credit partners or banks as well and we'll find out in the coming years. My father used to work for a large bank, he would always tell me stories of breaches that occurred like people faking checks who were from Nigeria, etc. And, I asked why the banks weren't more proactive with their security procedures. He said it was because they do a cost analysis on and determine that there is an acceptable amount of risk, because securing your accounts is costly compared to the losses. I think that as these breaches increase in frequency in the digital age, that cost benefit analysis graph is going to turn upside down and not look as rosy anymore.