Privacy groups call for investigation into Experian following T-Mobile data leak

Hackers

12/10/2015: US Privacy groups have called for a federal investigation into credit agency Experian after the customer details of 15 million T-Mobile customers went up for sale on the dark web last week.

The Public Interest Research Group (PIRG) made the appeal, with the support from 28 other privacy bodies in the country, saying the credit agency must be held to account.

It said a data security breach that affected all of Experian's credit report files would be a terrifying disaster because it holds data from 200 million Americans - not just T-Mobile customers. If its systems had been hacked to expose the details of the 15 million T-Mobile customers, more data from the organisation could also be put at risk.

However, it has been revealed the data breach was from Experian's Decisioning Solutions subsidary rather than the entire organisation, in which case the damage may have been limited.

"If the server holding the T-Mobile files was subject to fewer security protections than the full Experian credit reporting database, why?" PiRG's consumer programme director, Ed Mierzwinski said.

"If it was subject to the same protections as the credit reporting server, doesn't this raise the troubling possibility that the server holding highly sensitive credit and personal information of over 200 million Americans is vulnerable to a data hack by identity thieves?"

"Experian understands the concerns raised and we are prepared to respond promptly to requests from regulatory agencies for more details about the incident," an Experian spokesman told the BBC.

"Security is a top priority for the company, and Experian is committed to continuous investments in upgrading talent, processes, and technologies needed to protect our systems."

05/10/2015: The details of 15 million T-Mobile customers stolen from credit monitoring agency Experian have gone up for sale on dark web marketplaces.

Irish fraud prevention startup Trustev told VentureBeat that it had come across multiple sale listings for fullz' on hidden dark net websites.

Senior writer Jane McCallion says:

"This incident presents an interesting case for the siloing of data - the reason only T-Mobile customers were affected was because the server that was compromised handled credit-check data exclusively for the mobile network. While this may be cold comfort for T-Mobile subscribers, the spread of victims could have been much wider, and the number of people affected much greater, had there been greater data fluidity at Experian."

Due to the nature of this type of data heist, the stolen details are often sold online within a matter of days. A Trustev spokesperson told VentureBeat, "it's not definitely T-Mobile/Experian, but it's extremely likely considering the type of data and timing".

While Experian claims no payment data was stolen, the leak of complete identity records presents a comparable, if not larger risk, due to the extensive exploitation of financial systems that then becomes possible.

02/10/2015: The personal details of 15 million T-Mobile customers have been stolen by hackers in an attack not on T-Mobile itself, but on credit ratings agency Experian.

According to a statement from Experian, the stolen data includes names, dates of birth, social security numbers and other ID like driving licenses, but not payment or banking information.

From the company's statement, it would appear that one single server, the one used to process information for T-Mobile, was affected, and Experian in its statement was at pains to note its consumer credit database was not accessed.

Craig Boundy, CEO of Experian North America, said: "We take privacy very seriously and we ... sincerely apologise for the concern and stress that this event may cause. That is why we're taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation."

T-Mobile's CEO John Legere also issued a statement to customers, which leaves no opportunity for doubt as to his feelings on the matter.

"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian," said Legere. "But right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously. This is no small issue for us.

"I do want to assure our customers that neither T-Mobile's systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information."

"Anyone concerned that they may have been impacted by Experian's data breach can sign up for two years of FREE credit monitoring and identity resolution services at www.protectmyID.com/securityincident. Additionally, Experian issued a press release that you can read here, and you can view their Q&A at Experian.com/T-MobileFacts," he added.

"Clearly, the most important victims here are the T-Mobile users who have had their personal details exposed," said security expert Graham Cluley in a blog post. "But you can't help but feel some sympathy with T-Mobile too. Their own computer systems don't appear to have been hacked. They trusted a well-known third party company to take proper care of their customers' data, and - although we don't know the details yet of just how things went so badly wrong - clearly there was a failure."

Jane McCallion
Managing Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.