T-Mobile Customer Data Leaked By Experian… And Faulty Encryption Implementation
from the well,-isn't-that-grand dept
This week’s big data leak comes from mobile phone provider T-Mobile, who has admitted that someone hacked into credit giant Experian and got a bunch of T-Mobile customer data. The good news? The personal data was encrypted. The bad news? Experian fucked up the encryption and so it doesn’t matter:
We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver?s license or passport number), and additional information used in T-Mobile?s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.
I happen to be a T-Mobile customer, and I look forward to the usual bullshit response of a year’s worth of credit monitoring and promises that this will never happen again. You know, until it does.
As I’ve said before, I do worry about holding companies totally responsible for when they get hacked, because a determined adversary will hack into any company they want to eventually. That’s just the nature of the game. But when the company appears to be totally incompetent to the point of being negligent, it seems reasonable to hold them responsible. I’m sure in the coming days we’ll find out more details about how the “encryption was compromised” (and we’ll also probably learn that it impacts many more people than originally claimed). But these new data breaches every week or so are starting to get ridiculous.
Filed Under: customers, data breach, encryption, hack, security
Companies: experian, t-mobile
Comments on “T-Mobile Customer Data Leaked By Experian… And Faulty Encryption Implementation”
I have no worries about this, despite being a T-Mobile customer.
Target has me covered.
I’m used to it. With all the credit monitoring I’m getting, I believe I’m now set for life plus 70 years.
Re: Re:
I’m used to it. With all the credit monitoring I’m getting, I believe I’m now set for life plus 70 years.
I know this is tongue firmly in cheek, but if you are relying on credit monitoring services to keep you secure, you’ve already lost.
Better is to remove credit from the equation. Get rid of the big four credit reputation companies and the problem disappears immediately (well, except for the IRS, which still allows scammers to submit fraudulent tax returns based solely on publically available information, and it is pretty safe to assume that your SSN and other vital information is publically available by now.) Makes buying things on credit harder, but how many times do people actually do that in their lives.
Credit freeze is really the best way of doing this, and so long as it is implemented correctly (which, considering Experian is one of the four, and they have seriously fucked up here, that is a shaky assumption,) it makes things far more difficult for the scammers/criminals to use your information to steal stuff.
Re: Re: Re:
Credit scores are accessed for more things than just applying for credit. Your credit score might be checked when applying for jobs and renting apartments, and on signing up for various utilities including things like cell phones.
I’m not saying that a credit freeze isn’t a good idea, but it is something to be aware of for those considering that path.
But these new data breaches every week or so are starting to get ridiculous.
Breaches that saw the light and got public you mean. right? What about breaches that were not disclosed to the public? Or worse, breaches that weren’t even noticed?
I’m with you in the punishment part. Companies should be punished. Severely if there is evidence proving incompetence/negligence. And the Government shouldn’t have more data on us than needed because it fits both criteria.
Well isn’t that convenient. You can’t take legal action against a any of the Credit bureaus.
Like other industry specifications
In hazardous area installations an eXd enclosure it is accepted that gas can enter the enclosure and produce an atmosphere that can explode when there is a source of ignition event. But the box is designed and tested to ensure that the explosion is contained and dissipated as it escapes and by the time it meets the ouside atmosphere it’s temperature and.pressure is below what would be required to ignite and explosive atmosphere outside.
maybe that is a crap analogy 🙂
Re: Like other industry specifications
I get the analogy, however, any box will not provide adequate protection if you drill several large holes in it. Now if it is treated as a secure vault that would be another story. We’ll have to see how Danny Ocean would pull it off to determine the correct security measures.
What Me Worry
What Me Worry… because the Veterans Administration; Heartland Payment Systems; Target; Home Depot; Office of Personnel Management; IRS; Hilton Hotels and T-Mobile [and perhaps the young lady working for a concessionaire at the Isle Royale National Park who skimmed my AMEX card and the yet unknown person working at the Whittier, CA contractor generating new ‘secure ID’ drivers licenses for the state, who skimmed my SSN and birth date to establish new charge accounts at Target and Kohl’s] have now taken the special ‘ex post facto’ pledge to keep my data safe and protected.
Is there actually....
…a standard for “encryption” these kinds of things / companies have to meet?
I’ve got this nagging suspicion that ROT13 is stronger than whatever most of them use…
Re: Is there actually....
I’ve got this nagging suspicion that ROT13 is stronger than whatever most of them use…
As someone joked online yesterday, Experian probably ran everything through ROT13 twice for “enhanced security.” 🙂
I will not give a mobile company my date of birth or ssn no.
if they ask for a date of birth give em a made up one.
A this point almost every big american company has been hacked apart from the banks and the cable tv companys .
There should be a mandated standard all customer data must be encrypted to a certain secure standard and this will
be checked by a trusted independent company every year .
Buy a phone with cash.
i have no passport and no drivers licence .
Why does, a mobile company need all that info .
I give em my name adress .That,s it.
i don,t have any phone contract.
i buy phone credit as i need it .
Have 10 companys who just specialize in data security
go around and check all database,s of companys in america
who have more than 50 thousand customers .
Just another reason to use post-paid. As these breaches grow increasingly common, I think it would be good to reevaluate what we consider need-to-know information.
Re: Re:
*pre-paid
Given the scale of the hacks, you would expect mass fraud and identity theft. The banks and credit card companies seem to bear the brunt of the cost, upgrading infrastructure, issuing new cards, eating the cost of fraudulent purchases.
Am I mistaken or has there been very little harm to end-users?
Re: Re:
Very few people have been on the hook for the fraud but these companies that spend billions covering their mistakes aren’t shelling the money out of their pocket. It’s passed on to the consumer in higher prices so in effect everyone is paying.
Re: Re:
As far as fraudulent purchases go in the US, Federal law gives individual consumers pretty decent protection.
I will note, however, that many if not most fraudulent purchases are eaten by the retailer via the chargeback mechanism and not the banks. Even with chip cards, this will probably still continue to be the case as fraud will shift to card not present fraud and Verified by Visa and MasterCard SecureCode adoption continues to be weak in the US.
Re: Re: Re:
So everyone ends up paying extra for things in order to make up for it. Business and banks aren’t just going to take it in the shorts – prices increase to accommodate the losses.
Re: Am I mistaken or has there been very little harm to end-users?
Who do you think is paying for all this stuff? The banks and credit card companies?
Good one.
Re: Re:
Given the number of people who are now “monitored” given the large number of breaches, I suspect that other fraud things are being one. Possibly ones like the “IRS” scam (scammer calling you, having personal information, demanding payment of “penalties” else they are coming to arrest you) where it’s more direct and not caught by credit monitoring.
I call for the death penalty
Every time a data breach like this happens, a C-level executive at the company responsible should be selected at random and publicly executed.
I believe that this will provide them with the motivation they’re currently lacking — motivation to make data security their top priority instead of profits.
(If a second breach occurs at the same company? Two C-level executives.)
C level
But why take it out on a c-level employee, it should be one in charge. A c-level takes orders and processes the item. Some one in the a level initiated an order. C level does or gets canned at the next meeting. So why pick someone at the c level. Secretaries and workers are the real lifeblood of a company. Bosses make or break the company with no regard or punishment for what they do. That’s the shame of heirachy.
Re: C level
Apparently you don’t grasp that C-level means “CIO”, “CFO”, “CSO”, etc. Those are the people running the company and invariably those are the people making massive amounts of money, primarily by screwing the workers below them and ripping off customers, lying through their teeth in press releases and press conferences. They’re responsible. They should suffer the (brutal) consequences.
Because until they do, this won’t stop. Why should it? They can pocket their $32.7M salary and their $8M bonus and laugh all the way to the bank at the millions of poor schmucks who are going to get ripped off thanks to the latest data breach.
Take a single dollar or even a penny from every person who has has their data stolen/leaked and criminal organizations end up with lots and lots of money.
Experian hacked?
You mean one of the three companies that have credit/personal information on just about everyone in the country?
Experian also provides this service for more people than T-Mobile, right?
So what are the odds that this is the first of many?
Experian does have a credit monitoring product, so I guess that’s convenient.
My butt is covered with breaches...
What, me worry?
So, now that it's affected YOU, maybe you will worry about corporate responsibility....
Though you’re already hedging.
But not much will change unless executives are tossed into jail without bail.
I think the biggest part of the story is it wasnt T-mobile that got hacked it was Experian…
And Experian literally has everyone’s credit info.
Thankfully as we have been told its only limited to T-mobile and yes maybe T-mobile bears some responability for trusting Experian but come on.
As a T-mobile customer i’m not blaming them for hiring them. Hell the only thing Experian does is gather personal data… Oh and provide monitoring if the data being collected is being misused…. And they completely failed not only in preventing it from being stolen but also once stolen not being scrabled proteced in a aay rsndering the data unusable…. Something a teenage boy does for his porn collection better
Re: Re:
Oh come on its not like Experian sold like 200 million records to an identity theft ring… ohhh nevermind.
wait for the price increase to “compensate for increased security” while they pocket the increase.
AS a certain well known sleaze bag likes to say “never waste a crisis for personal gain”
Experian breach
Are you sure the hacker didn’t get in through a “security”
agency back door? That seems likely to me.
T Mobile(s') AUDACITY!
How is T-Mobile getting away with these fraudulent charges to their customers AND KEEPING THEIR CUSTOMERS?? C’MON AMERICA WE USED TO RUN THESE RIP-OFFS OUTTA TOWN… Widdle tail wagged down. As if that wasn’t enough now my personal information and to some hack in a phishing phase a free ticket to steal an identity, my identity!! Disclosures … and of this MAGNITUDE?
OMG LET US ALL DECIDE TO PUT T MOBILE TO SHAME! SHAME, SHAME, SHAME!! let’s all find a worthy opponent…
I received my formal apology letter, yesterday, October 26, 2015. I was told, when I gave my “information around the 19th of september (2015)- that was when it was likely to have leaked…”like a facet! Especially strange since I didn’t give them any information about myself, not on nor around that date. My information, which I conveyed to Walmart, was shared almost 3 years ago.
Purposefully the day I got a call from T Mobile, I felt I had, in my ear, a selfish ass.
I had been a customer, not even a month, with unlimited, text, calls and web. The phone, super pricey, I wouldn’t have it if my son. -And, the payments seemed great.So my son bought the phone and I payed the first ,month. This was not
working out for me already, when, the month isn’t over and you want what?
I called back that day after i did some processing.
I gave my account name and number. I exclaimed about and so what- to the raw smooth talker tellin’ me why I owe…dis doesn’t convince the customer, who is always right. I’m going to take a loss on the phone. “What?” Twas said.
I am going to sell this beautiful phone and kiss my customer ass goodbye. Blablablabla was all I heard and then I said Y’all n’r gonna get anything more, bye bye now…. T mobile has the AUDACITY to send me that bill, that bogus bill, still? Let us all say, T Mobile Sucks! Let us put them all the way down outta business……T Mobile takes from the giving and then discloses, in a widdle incident, MY IDENTITY. OK WHO’S WITH ME?
We apologize we didn’t get it the first go ’round