back to article Experian-T-Mobile US hack: 'We trusted them, now that trust is broken'

The IT security breach that spilt the personal details of an estimated 15 million T-Mobile US phone contract applicants has thrown a new spotlight on the risks of breaches at third-party companies. T-Mobile's own systems weren't compromised. Rather, the source of the leak was Experian, the company that processed the carrier's …

  1. Turtle

    An Icon. An Iconic Icon, Necessary But Missing.

    I was going to make a ridiculing and contemptuous remark about "internet security" and "data protection" but when I went to choose a suitable icon (a site feature that I have never used before), I couldn't find what I was looking for - an image of a wedge of swiss cheese.

    'Cos it comes to "internet security" and "data protection" a wedge of swiss cheese is the only appropriate emblem.

  2. elDog

    Hello fox, here's the hen house

    The last thing in the world I want is one of these "credit monitoring agencies" looking at my private bits.

    And yet that is exactly what you get if you are targeted by Target.com, Walmart, Gap, Whatever. After you have had all your privates lifted, you are supposed to trust them again to some fine group of spies to keep an eye on them.

    Shit, do they think we're that stupid? (rhetorical only.)

    1. ecofeco Silver badge

      Re: Hello fox, here's the hen house

      We would be that stupid if we had a choice, but everyone IS in the credit industries system and there are no alternatives short of going full monk or wilderness man.

  3. Anonymous Coward
    Anonymous Coward

    Welcome to the cloud.

  4. Vector

    Another Incorrect Conclusion

    "Ultimately, T-Mobile's customers aren't going to care where and how the breach occurred, the bottom line is they trusted T-Mobile with their sensitive data and now that trust is broken," Brown added.

    No, my trust in Experian is broken. T-Mobile did a good job of getting out in front of this and laying the blame at Experian's feet, where it properly belongs.

    Honestly, I would expect a company in that business, entrusted with some of the most sensitive personal data in existence, to take security far more seriously than it appears from this breach. That the exposure went on for years is simply unfathomable.

    1. Gray
      Trollface

      Re: Another Incorrect Conclusion

      Honestly, I would expect a company in that business, entrusted with some of the most sensitive personal data in existence, to take security far more seriously than it appears from this breach. That the exposure went on for years is simply unfathomable.

      Not so surprising, really, if you understand US corporate mentality. The business plan is to catch and corral more horses in the barn. Nobody dare suggest that serious money be spent on a stronger lock.

      Until, of course, the door is breached. Then the lock department is held accountable.

  5. Will Godfrey Silver badge
    Facepalm

    mega fail

    And this is one of the companies that our illustrious leaders want to use for identity verification.

    I've know for years that they were a dodgy bunch (long story) but not that they were quite this bad.

  6. Anonymous Coward
    Anonymous Coward

    Do they ever consider just telling the truth?

    "a limited period of time" apparently means "no earlier than the big bang"They must know that while some of their victims will feel vaguely re-assured many others will simply conclude that they are hopelessly addicted to lying, and that nothing they say can be trusted. By at least being frank they could hope to gain some grudging respect (as T-mobile has) - what do they fear losing? Is it Fraser of litigation? Our just a vapid yes-man culture?

    1. Mark 85

      Re: Do they ever consider just telling the truth?

      This company is one of the big three credit agencies. If they didn't know about this break-in what else didn't they know about? Could someone break in and "for a fee" fix someone's credit? Or destroy it?

      This "limited time period" doesn't sit well. Neither does the "we just found out" excuse.

  7. Viper1j

    SO SWEET!

    They got my ex's info!

    I'm officially in love with karma!

  8. Anonymous Coward
    Childcatcher

    PCI DSS?

    Given the nature of their business then I would imagine that PCI DSS applies.

    Unencrypted data may represent a fail. However if the storage volumes that they were stored on were encrypted but accessible due to being online then sadly that would probably pass.

    Still, given there was a breach then something else may surface as a fail. My money is on an admin password on a post-it note stuck to a monitor near a window.

    1. Anonymous Coward
      Mushroom

      Re: PCI DSS?

      What was involved in the failure is irrelevant. PCI-DSS is structured so that any breach is an automatic failure if credit card data is involved (actual CC#, CVV). Where it gets fuzzy is the encryption of the card data itself. The miscreants (love that word) made off with their code/software as well and it seems that it wasn't strong cryptography to begin with. That's the fracture point. How the CC companies view that fracture is the make or break for Experian.

      Can't wait to hear the twenty-ton thud that will be the class-action suit.

    2. Captain DaFt

      Re: PCI DSS?

      "My money is on an admin password on a post-it note stuck to a monitor near a window."

      Nothing so esoteric. Flash back to the '90s when most breaches of this type were engineered simply by Billy Cracker phoning in and asking... err, demanding access via: "I don't have time for this, give me access right now, or clean out your desk!"

      Nobody remembers the past.

      1. Anonymous Coward
        Anonymous Coward

        Re: PCI DSS?

        I've heard they had a voicemail or dialup system in the 90s that would give you everything - SSN, DOB, CC's - without talking to human at all. And carders were running wild in it.

        1. m0rt

          Re: PCI DSS?

          "Nobody remembers the past."

          Au contraire. Everyone remembers the past.

          Unless I am some kind of reverse Merlin and never knew it....

          1. VinceH

            Re: PCI DSS?

            "Au contraire. Everyone remembers the past."

            Except those who forget it - which is what Captain DaFt meant.

            Also, if you are suggesting that nobody remembers the future, I dispute that. I remember perfectly well that I made a nice cup of tea immediately after posting this. :p

  9. Citizens untied

    How long until my personal information is useless anyway because it is unverifiable due to the number of data breaches? Is Tyler Durden's dream coming true?

    1. midcapwarrior

      I now receive free "credit monitoring" based on breaches at OMB, DOE, and Target.

      Not sure if I should feellucky no one has used my info yet (as far as the monitors know), or offended that I'm not worth the effort.

  10. Anonymous Coward
    Anonymous Coward

    Who Judges the Judges ?

    ... but the Judges themselves.

    (Trees cannot have cycles in them, so ultimately, in a system without checks and balances, you have to place unquestionably trust in at least one group of individuals at the top of the tree to police themselves).

  11. bob, mon!
    Unhappy

    I will never use Experian again!

    Oh wait... I didn't want to use them in the first place. And I have no influence and little-to-no choice over whether companies I deal with do use them. Sigh...

  12. D Moss Esq

    Experian, the "identity provider"

    The T-Mobile hack is just as much a UK story as a US one. Experian is a FTSE-100 company. They oil the wheels of commerce and of marketing, including political marketing. They are also an appointed "identity provider" for the UK government's identity assurance programme, GOV.UK Verify (RIP): "When you’re using digital services, you need to be sure that your privacy is being protected and your data is secure".

    GOV.UK Verify (RIP) is run by the Government Digital Service (GDS), who have so far remained silent about the T-Mobile hack and every other problem that the programme faces. Where is their head? In the sand.

    GDS are more outspoken when trying to sell the putative virtues of GOV.UK Verify (RIP) to entrepreneurs, their argument being that sharing our personal data with all and sundry via GOV.UK Verify (RIP) will cause the UK economy to grow.

    Unlike GDS, the venture capitalists who back entrepreneurs cannot afford to have their head in the sand. They will have noticed T-Mobile even if GDS haven't and their cheque books will by now be firmly locked in their desks. GOV.UK Verify RIP.

  13. UlfMattsson

    Encryption?

    I find it very concerning that “Experian has determined that this encryption may have been compromised."

    Aberdeen Group reported in a very interesting study with the title “Tokenization Gets Traction” that tokenization users had 50% fewer security-related incidents than non-users and 47% of respondents are using tokenization for something other than cardholder data.

    Aberdeen also has seen a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data.

    Visa, Amex, MasterCard and ApplePay are now switching to tokenization for the same reasons.

    We can “reduce the amount of data that is sensitive” by using data tokenization.

    Ulf Mattsson, CTO Protegrity

    1. Warm Braw

      Re: Encryption?

      Tokenisation is only of any use when the token unambiguously maps to another piece of information, and where the token can be processed as if it were that other piece of information.

      Credit reference checks are typically trying to match fuzzy information (poorly-transcribed names, addresses, etc, supplied from different sources) in an attempt to identify individuals and their relationships (such as people in the same household) It's sufficiently fuzzy that sometimes this matching just goes plain wrong: tokenisation won't help with this kind of data.

      You've been quoting the Aberdeen Group report using the same exact words on seemingly every news website that has a data breach story for months now - do you think you could restrict your advertising at least to those places where it has some potential relevance?

  14. Mike Pellatt
    WTF?

    "steps must be taken to ensure that critical customer information is protected regardless of where it is in the supply chain."

    So, tell me Mr Outsourcing Provider Salesdroid - how I can do that (with extra special emphasis on the word "ensure") without spending damn' nearly as much as (or very possibly more than) I'd have to to do the whole thing myself in the first place ??

    Gone very quiet, all of a sudden.

  15. Alan Denman

    Trust

    Only morons trusted 100%.

    It just happens that in the cloud, the stakes are far higher.

  16. Bucky 2
    Black Helicopters

    Trust in Experian

    I'd argue any trust in Experian was already misplaced before the breach.

    I don't know of a single human soul who has looked at their Experian credit reports and found them to be particularly accurate. If they're that slapdash in their approach to details in one area, they're likely to be careless with details in another.

  17. UlfMattsson

    How could Experian allow decryption of 15 million Social Security Numbers?

    How could Experian allow decryption of 15 million Social Security Numbers? We know that most banks limit the amount you can withdraw from an ATM on a daily basis to limit fraud.

    Encryption and decryption is only a way to enforce a security policy. A security policy can be applied to encryption or tokenization services. The PCI DSS Tokenization Guidelines, released 2011, suggests that tokenization systems can be configured to throttle or reject abnormal requests, reducing the potential exposure of unauthorized activity.

    Also the Visa Tokenization Best Practices guide for tokenization, released in 2010, suggests that tokenization systems can be configured to throttle or reject abnormal requests, reducing the potential exposure of unauthorized activity.

    I suggest that also all encryption/decryption services should apply similar rate limiting rules to prevent or limit theft of sensitive information from databases.

    Ulf Mattsson, CTO Protegrity

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like