The Next Massive Data Breach-Experian

The Next Massive Data Breach-Experian


Apparently, the relationship between T-Mobile and Experian has soured for the immediate future. Per CNET (2015) “Hackers stole the personal data of 15 million T-Mobile customers by going after the company that processes the wireless carrier’s credit checks.” The attack ranged from September 1, 2013, to September 16, 2015 (OVER 2 YEARS!) according to PR Newswire.

Here is Experian’s statement to Forbes:

A hacker or hackers appear to have obtained access to an Experian server—one that is not a part of its consumer credit bureau, the company said—that hosted the personal information of people who applied for the carrier’s services between Sept. 1 2013, and Sept. 16, 2015. The information accessed included names, addresses, Social Security numbers, dates of birth, driver’s license numbers, and passport IDs.

The Verge points out that Experian (and other credit bureaus) are lucrative targets for scammers and malicious hackers. The Verge (2015) recalls that “in 2012, a Vietnamese scammer named Hieu Minh Ngo was able to obtain fraudulent access to the database, offering it for sale on an underground fraud side. While Ngo’s access to the database was terminated at the end of 2012, the incident has been treated by federal law enforcement as a breach, and led to a number of ongoing suits against the agency.” Needless to say, Experian still doesn’t seem to have embraced a culture of security and is still feeling the effects of the lack thereof.

Our Analysis

In theory, someone with a Security Clearance (from Department of Energy with records stored with OPM), Blue Cross Blue Shield insurance, that use/uses/used Ashley Madison, that uses T-Mobile, and stayed in a Trump Hotel could be absolutely doomed. Enough of worst case scenarios. In all seriousness, this attack makes me seriously question how organizations can operate without proper security controls in place. They should certainly listen to the Advanced Persistent Security Podcast, specifically the SANS Top 20 series.

At this time, the only things known seem to be the scope of data compromised and the timeline. Fortune further elaborated on the scope. They state that :

“Experian gave no hint about who may have accessed its customer data, other than to say it was ‘an unauthorized party.’

‘We do not know who the criminals were behind this incident,’ the company said. It added that ‘there is no evidence that the data has been used inappropriately,’ and that it is working with law enforcement on the matter.

Experian said the data had been encrypted. But it added that it may have been compromised.”

Please continue to follow us as we will be providing relevant details for this as they become available.

T-Mobile CEO’s Statement

T-Mobile’s CEO, John Legere made this statement to Wall Street Journal:

“We will institute a thorough review of our relationship with Experian,” he said. Meanwhile, any T-Mobile customer or applicant can get two years of free credit monitoring services from Experian itself. T-Mobile said the data was stored by Experian and was required by law to be held for a minimum of 25 months.

Here is the initial tweet that Legere sent to let T-Mobile customers know:
Here are some more of his tweets, showing Mr. Legere sympathizing with customers and vowing to be in the process of finding a solution:

This is the next in a long line of serious data breaches. Here is a list of breaches that we have covered in this blog:
OPM Data Breach
Department of Energy Cyber Attacks
Ashley Madison Data Breach
Follow up to Ashley Madison Data Breach
Trump Hotels infected with Malware
Excellus Blue Cross Blue Shield Hacked

If you think your data may have been compromised in this breach or any other, please check out HaveIBeenPwned and enter your email address.


PR Newswire
Wall Street Journal

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

Enter your email address:

Delivered by FeedBurner

Contact Us

Subscribe to our mailing list

* indicates required

About Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.