A Thing
The Green SheetGreen Sheet

Friday, October 9, 2015

Experian breach roils T-Mobile

Security analysts are warning that cybercriminals are increasingly targeting data brokers and credit screening services that aggregate consumer data. Experian Information Solutions Inc. estimates that up to 15 million consumers had their personal information stolen from the company’s T-Mobile USA database; the incident was first reported on Oct. 1, 2015.

The global data aggregator, based in Dublin, Ireland, with operations in the United States, United Kingdom and Brazil, employs 16,000 people in 39 countries. A statement on the company’s website portrayed the event as “an isolated incident [that occurred] over a limited period of time.”

Hackers gained entry to an Experian server that held “personal information for individuals, including some current customers, and also consumers who applied for T-Mobile USA postpaid service or device financing, which require a credit check, from Sept. 1, 2013 through Sept. 16, 2015,” the company stated.

Security analysts argue that the unauthorized entry into a global credit bureau’s database that continued undetected for two years is neither an isolated incident nor the first reported security data breach of T-Mobile customers, whose records were entrusted to Experian’s credit screening service. In 2003, Experian acquired Decisioning Solutions, a credit screening service for T-Mobile USA applicants, and discovered later the same year that the vendor had been compromised.

Big data, bigger breach

T-Mobile USA is a division of T-Mobile International AG, a German holding company for Deutsche Telekom AG's mobile communications subsidiaries outside Germany. Security analysts have questioned the company’s continuing fealty to Experian, which has been documented to have failed repeatedly to protect and secure the personal data of millions of T-Mobile USA customers.

“I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion, and this did not involve any payment card numbers or bank account information,” said John J. Legere, Chief Executive Officer of T-Mobile USA. Legere invited potentially affected customers to sign up for two free years of credit screening services at ProtectMyID.com, an Experian subsidiary.

“Instead of walking away from Experian and actually protecting its customers, T-Mobile continued to employ the firm,” wrote blogger Todd Haselton. “Guess what T-Mobile offers for customers affected by the breach? Yep, you guessed it, another two years of free credit monitoring from ProtectMyID, the Experian-provided service.”

Data brokers as targets

Experian positions its company and brand as a leading global information service that helps businesses manage credit risk and prevent fraud. These attributes make Experian and similar firms attractive to criminals. Personally identifiable information (PII) such as name, addresses and Social Security numbers can fetch a higher price than cardholder data on the Deep Web, also known as the Dark Web, where criminals freely traffic in stolen data and assorted types of contraband materials.

Security analysts have openly questioned how any breached data broker can effectively protect and defend the individuals and client companies it serves. “A breached data broker seems to lack strong intent when you consider how adept they are at collecting and validating information about consumers,” said Dante LoScalzo, Senior Manager of Security Consulting at Atlanta-based ControlScan Inc. “Couple that with the fact that many consumers are unaware of the methods used to collect information about them, the volume of information that’s held and who exactly has it, and the gravity of the situation becomes apparent.” LoScalzo went on to say that the “secret sauce” that some firms use to protect data is an insufficient defense against attackers who have already gained access to a network. “Many of these firms use antiquated means of obfuscating data, poor encryption implementations and inadequate access control,” he said, adding that these vulnerabilities highlight the need for security innovation and best practices.

Call for reforms

TrackOFF, a Baltimore-based startup that develops privacy and security software, predicted that a leading data aggregator like Experian would be hacked. Warning that hackers and foreign intelligence services will increasingly exploit this type of company, TrackOFF is calling for reforms in regulation and consumer protection, including educating consumers about how data brokers obtain and use their PII. The company recently published a white paper in response to the Federal Trade Commission’s invitation for public comment in preparation for the agency’s Nov. 16, 2015, workshop on cross-device tracking. The paper offered insights and recommendations on ways to manage and regulate the “mass collection and storage of consumer information by data brokers.”

“When we were putting together the white paper, we were shocked that no one else is addressing this topic,” said Chandler Givens, co-founder and CEO at TrackOFF. “This is surprising considering how hackers are actively seeking high repositories of consumer behavior; if I were working for an underground group or government intelligence agency, these data brokers would represent ideal targets.”

Givens noted that hackers can use up-to-date information from data aggregators to launch personalized attacks against consumers. “In certain instances, the hackers may know that someone will be taking a trip to Chicago,” he said. “The hacker could send out a phishing email related to the upcoming trip.” He went on to say that if the information in the email squares with the target’s itinerary, it increases the chance that the consumer will click on that link and become infected with malware. “If it hasn’t happened already, it will happen,” he said. end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Facebook
Twitter
LinkedIn
2024 2023 2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing