T-Mobile Customer Data Leaked By Experian… And Faulty Encryption Implementation

from the well,-isn't-that-grand dept

This week’s big data leak comes from mobile phone provider T-Mobile, who has admitted that someone hacked into credit giant Experian and got a bunch of T-Mobile customer data. The good news? The personal data was encrypted. The bad news? Experian fucked up the encryption and so it doesn’t matter:

We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver?s license or passport number), and additional information used in T-Mobile?s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.

I happen to be a T-Mobile customer, and I look forward to the usual bullshit response of a year’s worth of credit monitoring and promises that this will never happen again. You know, until it does.

As I’ve said before, I do worry about holding companies totally responsible for when they get hacked, because a determined adversary will hack into any company they want to eventually. That’s just the nature of the game. But when the company appears to be totally incompetent to the point of being negligent, it seems reasonable to hold them responsible. I’m sure in the coming days we’ll find out more details about how the “encryption was compromised” (and we’ll also probably learn that it impacts many more people than originally claimed). But these new data breaches every week or so are starting to get ridiculous.

Filed Under: , , , ,
Companies: experian, t-mobile

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “T-Mobile Customer Data Leaked By Experian… And Faulty Encryption Implementation”

Subscribe: RSS Leave a comment
ltlw0lf (profile) says:

Re: Re:

I’m used to it. With all the credit monitoring I’m getting, I believe I’m now set for life plus 70 years.

I know this is tongue firmly in cheek, but if you are relying on credit monitoring services to keep you secure, you’ve already lost.

Better is to remove credit from the equation. Get rid of the big four credit reputation companies and the problem disappears immediately (well, except for the IRS, which still allows scammers to submit fraudulent tax returns based solely on publically available information, and it is pretty safe to assume that your SSN and other vital information is publically available by now.) Makes buying things on credit harder, but how many times do people actually do that in their lives.

Credit freeze is really the best way of doing this, and so long as it is implemented correctly (which, considering Experian is one of the four, and they have seriously fucked up here, that is a shaky assumption,) it makes things far more difficult for the scammers/criminals to use your information to steal stuff.

Anonymous Coward says:

Re: Re: Re:

Credit scores are accessed for more things than just applying for credit. Your credit score might be checked when applying for jobs and renting apartments, and on signing up for various utilities including things like cell phones.

I’m not saying that a credit freeze isn’t a good idea, but it is something to be aware of for those considering that path.

Ninja (profile) says:

But these new data breaches every week or so are starting to get ridiculous.

Breaches that saw the light and got public you mean. right? What about breaches that were not disclosed to the public? Or worse, breaches that weren’t even noticed?

I’m with you in the punishment part. Companies should be punished. Severely if there is evidence proving incompetence/negligence. And the Government shouldn’t have more data on us than needed because it fits both criteria.

smeee says:

Like other industry specifications

In hazardous area installations an eXd enclosure it is accepted that gas can enter the enclosure and produce an atmosphere that can explode when there is a source of ignition event. But the box is designed and tested to ensure that the explosion is contained and dissipated as it escapes and by the time it meets the ouside atmosphere it’s temperature and.pressure is below what would be required to ignite and explosive atmosphere outside.

maybe that is a crap analogy 🙂

Anonymous Coward says:

Re: Like other industry specifications

I get the analogy, however, any box will not provide adequate protection if you drill several large holes in it. Now if it is treated as a secure vault that would be another story. We’ll have to see how Danny Ocean would pull it off to determine the correct security measures.

Anonymous Coward says:

What Me Worry

What Me Worry… because the Veterans Administration; Heartland Payment Systems; Target; Home Depot; Office of Personnel Management; IRS; Hilton Hotels and T-Mobile [and perhaps the young lady working for a concessionaire at the Isle Royale National Park who skimmed my AMEX card and the yet unknown person working at the Whittier, CA contractor generating new ‘secure ID’ drivers licenses for the state, who skimmed my SSN and birth date to establish new charge accounts at Target and Kohl’s] have now taken the special ‘ex post facto’ pledge to keep my data safe and protected.

Anonymous Coward says:

I will not give a mobile company my date of birth or ssn no.
if they ask for a date of birth give em a made up one.
A this point almost every big american company has been hacked apart from the banks and the cable tv companys .
There should be a mandated standard all customer data must be encrypted to a certain secure standard and this will
be checked by a trusted independent company every year .
Buy a phone with cash.
i have no passport and no drivers licence .
Why does, a mobile company need all that info .
I give em my name adress .That,s it.
i don,t have any phone contract.
i buy phone credit as i need it .
Have 10 companys who just specialize in data security
go around and check all database,s of companys in america
who have more than 50 thousand customers .

Justin Johnson (JJJJust) (profile) says:

Re: Re:

As far as fraudulent purchases go in the US, Federal law gives individual consumers pretty decent protection.

I will note, however, that many if not most fraudulent purchases are eaten by the retailer via the chargeback mechanism and not the banks. Even with chip cards, this will probably still continue to be the case as fraud will shift to card not present fraud and Verified by Visa and MasterCard SecureCode adoption continues to be weak in the US.

David says:

Re: Re:

Given the number of people who are now “monitored” given the large number of breaches, I suspect that other fraud things are being one. Possibly ones like the “IRS” scam (scammer calling you, having personal information, demanding payment of “penalties” else they are coming to arrest you) where it’s more direct and not caught by credit monitoring.

Anonymous Coward says:

I call for the death penalty

Every time a data breach like this happens, a C-level executive at the company responsible should be selected at random and publicly executed.

I believe that this will provide them with the motivation they’re currently lacking — motivation to make data security their top priority instead of profits.

(If a second breach occurs at the same company? Two C-level executives.)

jim says:

C level

But why take it out on a c-level employee, it should be one in charge. A c-level takes orders and processes the item. Some one in the a level initiated an order. C level does or gets canned at the next meeting. So why pick someone at the c level. Secretaries and workers are the real lifeblood of a company. Bosses make or break the company with no regard or punishment for what they do. That’s the shame of heirachy.

Anonymous Coward says:

Re: C level

Apparently you don’t grasp that C-level means “CIO”, “CFO”, “CSO”, etc. Those are the people running the company and invariably those are the people making massive amounts of money, primarily by screwing the workers below them and ripping off customers, lying through their teeth in press releases and press conferences. They’re responsible. They should suffer the (brutal) consequences.

Because until they do, this won’t stop. Why should it? They can pocket their $32.7M salary and their $8M bonus and laugh all the way to the bank at the millions of poor schmucks who are going to get ripped off thanks to the latest data breach.

Anonymous Coward says:

I think the biggest part of the story is it wasnt T-mobile that got hacked it was Experian…

And Experian literally has everyone’s credit info.

Thankfully as we have been told its only limited to T-mobile and yes maybe T-mobile bears some responability for trusting Experian but come on.

As a T-mobile customer i’m not blaming them for hiring them. Hell the only thing Experian does is gather personal data… Oh and provide monitoring if the data being collected is being misused…. And they completely failed not only in preventing it from being stolen but also once stolen not being scrabled proteced in a aay rsndering the data unusable…. Something a teenage boy does for his porn collection better

kerrie hemphill (profile) says:

T Mobile(s') AUDACITY!

How is T-Mobile getting away with these fraudulent charges to their customers AND KEEPING THEIR CUSTOMERS?? C’MON AMERICA WE USED TO RUN THESE RIP-OFFS OUTTA TOWN… Widdle tail wagged down. As if that wasn’t enough now my personal information and to some hack in a phishing phase a free ticket to steal an identity, my identity!! Disclosures … and of this MAGNITUDE?
OMG LET US ALL DECIDE TO PUT T MOBILE TO SHAME! SHAME, SHAME, SHAME!! let’s all find a worthy opponent…
I received my formal apology letter, yesterday, October 26, 2015. I was told, when I gave my “information around the 19th of september (2015)- that was when it was likely to have leaked…”like a facet! Especially strange since I didn’t give them any information about myself, not on nor around that date. My information, which I conveyed to Walmart, was shared almost 3 years ago.
Purposefully the day I got a call from T Mobile, I felt I had, in my ear, a selfish ass.
I had been a customer, not even a month, with unlimited, text, calls and web. The phone, super pricey, I wouldn’t have it if my son. -And, the payments seemed great.So my son bought the phone and I payed the first ,month. This was not
working out for me already, when, the month isn’t over and you want what?
I called back that day after i did some processing.
I gave my account name and number. I exclaimed about and so what- to the raw smooth talker tellin’ me why I owe…dis doesn’t convince the customer, who is always right. I’m going to take a loss on the phone. “What?” Twas said.
I am going to sell this beautiful phone and kiss my customer ass goodbye. Blablablabla was all I heard and then I said Y’all n’r gonna get anything more, bye bye now…. T mobile has the AUDACITY to send me that bill, that bogus bill, still? Let us all say, T Mobile Sucks! Let us put them all the way down outta business……T Mobile takes from the giving and then discloses, in a widdle incident, MY IDENTITY. OK WHO’S WITH ME?

We apologize we didn’t get it the first go ’round

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...