Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Experian Hack Exposes Data of 15 Million T-Mobile Consumers

Experian on Thursday announced that a server containing information on T-Mobile customers was compromised, and that information of roughly 15 million individuals has been exposed.

Experian on Thursday announced that a server containing information on T-Mobile customers was compromised, and that information of roughly 15 million individuals has been exposed.

Experian processes credit applications on behalf of T-Mobile, and hackers managed to gain access to personally identifiable information of carrier’s customers, including new applicants requiring postpaid services or device financing from September 1, 2013 through September 16, 2015.

The company said stolen data includes names, addresses, dates of birth, and encrypted fields with Social Security numbers and/or an alternative form of ID like a driver’s license or passport number, in addition to other type of information that T-Mobile uses in credit assessments. No payment card or banking information was stolen, but Experian says that the encryption may have been compromised.

Experian claims that this was an isolated incident over a limited period of time and that there is no evidence that the stolen data has been used inappropriately. However, the exposed data poses a high identity theft risk, and all individuals who applied for T-Mobile USA postpaid services between Sept. 1, 2013 and Sept. 16, 2015 are advised to enroll in the complimentary identity resolution services.

While T-Mobile’s security or systems have not been breached, the incident is expected to affect the carrier, and T-Mobile CEO John Legere has already posted a statement online, saying that he is “incredibly angry about this data breach” and that the company will review its relationship with Experian.

The wireless carrier notes on a Q&A page that Experian has taken full responsibility for the data theft and that it has started informing individuals who may have been affected. The company also took steps to mitigate the issue by assessing the performance of its web application firewalls, enhancing security of encryption keys, limiting authorized access to the server, and additional monitoring of affected servers, in addition to contacting U.S. and international law enforcement and cybercrime authorities.

Security experts across the industry agree that this incident should be a wakeup call to wireless carriers and their partners and that they should always focus on improving the protection of customer data.

Tim Erlin, director of IT security and risk strategy at Tripwire, pointed out the fact that the breach does not affect all Experian users, but that details pertaining to the incident could change in future announcements from the two companies.

Advertisement. Scroll to continue reading.

“It’s tempting to consider this breach a lesser risk because no credit card data was compromised, but the loss of this type of personal information can lead to identity theft. It can be both difficult and costly for consumers to recover when their identity is stolen. While this is certainly not good news for those affected, the fact that no other customers of Experian’s appear to be compromised indicates that they’re segregating the data in a way that limits exposure. Breaches are a fact of life these days, and limiting damage is an important part of a comprehensive protection strategy,” Erlin told SecurityWeek.

“Wireless carriers have long been a hot target for hackers due to the wealth of information they store on their customers. It should not be a surprise that we see cybercriminals targeting business partners they can prove to be easier targets than the carrier themselves. This should be a wake-up call for the carriers and their business partners to be on guard as we usually see these types of attacks occur in clusters within a given industry,” Ken Westin, senior security analyst, Tripwire, added.

According to data loss prevention expert Gord Boyce, CEO of file security firm FinalCode, the user information stolen from Experian can be combined with data from other sources and can be used in sophisticated attacks.

“It’s become commonplace to offer credit monitoring to victims of a data privacy breach, but other attacks could fall outside the monitored time period. While there is reference to Experian’s use of encryption for some data, this public disclosure would indicate that personal and identifiable information has, indeed, been exposed. The T-Mobile and Experian relationship illustrates the importance of tracking and auditing the use of sensitive and regulated data in different forms throughout its lifecycle and processing supply chain,” Boyce said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.