The Next Massive Data Breach-Experian

The Next Massive Data Breach-Experian

 

Apparently, the relationship between T-Mobile and Experian has soured for the immediate future. Per CNET (2015) “Hackers stole the personal data of 15 million T-Mobile customers by going after the company that processes the wireless carrier’s credit checks.” The attack ranged from September 1, 2013, to September 16, 2015 (OVER 2 YEARS!) according to PR Newswire.

Here is Experian’s statement to Forbes:

A hacker or hackers appear to have obtained access to an Experian server—one that is not a part of its consumer credit bureau, the company said—that hosted the personal information of people who applied for the carrier’s services between Sept. 1 2013, and Sept. 16, 2015. The information accessed included names, addresses, Social Security numbers, dates of birth, driver’s license numbers, and passport IDs.

The Verge points out that Experian (and other credit bureaus) are lucrative targets for scammers and malicious hackers. The Verge (2015) recalls that “in 2012, a Vietnamese scammer named Hieu Minh Ngo was able to obtain fraudulent access to the database, offering it for sale on an underground fraud side. While Ngo’s access to the database was terminated at the end of 2012, the incident has been treated by federal law enforcement as a breach, and led to a number of ongoing suits against the agency.” Needless to say, Experian still doesn’t seem to have embraced a culture of security and is still feeling the effects of the lack thereof.

Our Analysis

In theory, someone with a Security Clearance (from Department of Energy with records stored with OPM), Blue Cross Blue Shield insurance, that use/uses/used Ashley Madison, that uses T-Mobile, and stayed in a Trump Hotel could be absolutely doomed. Enough of worst case scenarios. In all seriousness, this attack makes me seriously question how organizations can operate without proper security controls in place. They should certainly listen to the Advanced Persistent Security Podcast, specifically the SANS Top 20 series.

At this time, the only things known seem to be the scope of data compromised and the timeline. Fortune further elaborated on the scope. They state that :

“Experian gave no hint about who may have accessed its customer data, other than to say it was ‘an unauthorized party.’

‘We do not know who the criminals were behind this incident,’ the company said. It added that ‘there is no evidence that the data has been used inappropriately,’ and that it is working with law enforcement on the matter.

Experian said the data had been encrypted. But it added that it may have been compromised.”

Please continue to follow us as we will be providing relevant details for this as they become available.

T-Mobile CEO’s Statement

T-Mobile’s CEO, John Legere made this statement to Wall Street Journal:

“We will institute a thorough review of our relationship with Experian,” he said. Meanwhile, any T-Mobile customer or applicant can get two years of free credit monitoring services from Experian itself. T-Mobile said the data was stored by Experian and was required by law to be held for a minimum of 25 months.

Here is the initial tweet that Legere sent to let T-Mobile customers know:
TMCEOTweet
Here are some more of his tweets, showing Mr. Legere sympathizing with customers and vowing to be in the process of finding a solution:

TMCEOTweet2
This is the next in a long line of serious data breaches. Here is a list of breaches that we have covered in this blog:
OPM Data Breach
Department of Energy Cyber Attacks
Ashley Madison Data Breach
Follow up to Ashley Madison Data Breach
Trump Hotels infected with Malware
Excellus Blue Cross Blue Shield Hacked

If you think your data may have been compromised in this breach or any other, please check out HaveIBeenPwned and enter your email address.

References

CNET
PR Newswire
Forbes
Wall Street Journal
Fortune

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

Enter your email address:

Delivered by FeedBurner





Contact Us


Subscribe to our mailing list

* indicates required







About Joe Gray

Joe Gray is a native of East Tennessee. He joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Since leaving the Navy, Joe has lived and worked in St. Louis, MO, Richmond, VA, and Atlanta, GA. His primary experience is in the Information Assurance (IA) and Cyber Security compliance field. He has worked as a Systems Engineer, Information Systems Auditor, Senior UNIX Administrator, Information Systems Security Officer, and Director of IT Security. Joe is in pursuit of his PhD in Information Technology (with focus in Information Assurance and Security). His undergraduate and graduate degrees are also in Information Technology (with focus in Information Assurance and Security) from Capella University, where he graduated Summa Cum Laude for both degrees and completed a Graduate Certificate in Business Intelligence. He also is a part-time (Adjunct) Faculty at Georgia Gwinnett College. Joe holds the (ISC)² CISSP-ISSMP, GIAC GSNA, CompTIA Security+, CompTIA Network+, and CompTIA A+ certifications. In his spare time, Joe enjoys reading news relevant to information security, blogging, bass fishing, and flying his drone in addition to tinkering with and testing scripts in R and Python.