igor - Fotolia
Hackers are believed to have stolen personal data of 15 million T-Mobile customers after breaking into the computer systems of credit reporting agency Experian.
The breach shows that companies not only have to be concerned about their own data security capabilities, but also those of their suppliers.
T-Mobile, which uses Experian’s credit checking services, has been quick to emphasise that the breach did not affect any of the mobile phone company’s systems or networks.
Although the stolen data includes customer details, such as home addresses and dates of birth, the company said no payment card data or bank account information was exposed.
“I take our customer and prospective customer privacy very seriously. This is no small issue for us,” said John Legere, chief executive of T-Mobile, the third largest mobile carrier in the US after Verizon and AT&T.
“Experian has assured us it has taken aggressive steps to improve the protection of its system and of our data,” he said in a statement.
Legere also said that he was “incredibly angry” about the breach and T-Mobile will institute a “thorough review” of its relationship with Experian.
Risk of identity theft
Although millions of T-Mobile customers are potentially affected, the breach reportedly affects only people in the US who were credit-checked in the past two years. However, this is not limited to T-Mobile customers, and includes anyone who applied for services or device financing.
Experian said in a statement that the company does not know who was behind the hack and is taking “necessary steps” to prevent further breaches. The company also said its consumer credit database was not affected by the breach.
However, this is the second huge breach linked to Experian. An attack on an Experian subsidiary in 2014 exposed the social security numbers of 200 million US citizens, according to the Guardian.
Tim Erlin, director of IT security and risk strategy at Tripwire, said that while it is tempting to consider this breach a lesser risk because no credit card data was compromised, the loss of this type of personal information can lead to identity theft.
“It can be difficult and costly for consumers to recover when their identity is stolen,” he said.
However, T-Mobile said the stolen data also includes encrypted fields with social security numbers and ID numbers, such as driver’s license numbers or passport numbers.
If hackers are able to crack the encryption, this data could be a source of long-term problems, said John Gunn of Vasco Data Security International.
“Experian says no credit card data was acquired, ‘only’ personal data, including social security numbers, as though this is positive news. You can get a new credit card in as little as 24 hours, but you can never get a replacement social security number. It is the hacker-gift that keeps on giving for the rest of the victim’s life,” he said.
A warning for wireless carriers
On a positive note, Tripwire’s Tim Erlin points out that because no other Experian customers appear to be compromised, it indicates Experian segregated the data in a way that limits exposure.
“Breaches are a fact of life these days, and limiting damage is an important part of a comprehensive protection strategy,” he said.
Ken Westin, senior security analyst at Tripwire, said wireless carriers have long been a hot target for hackers due to the wealth of information they store on their customers.
“It should not be a surprise that we see cyber criminals targeting business partners – they can prove to be easier targets than the carrier themselves,” he said.
Westin said this breach should be a warning for all wireless carriers and their business partners because these types of attacks usually occur in clusters in a given industry.
Read more about data breaches
- Another US health insurer says it has been hit by a “sophisticated” cyber attack, with more than 10 million customer accounts exposed at Excellus BlueCross BlueShield.
- HIV clinic data breach shows lessons not learned.
- More than 70% of executives say their organisations do not fully understand the risks associated with data breaches.
- Most large enterprises already know much of what they need to put in place to protect themselves against data breaches – they just have not done it all.