T-Mobile CEO John Legere pulled no punches expressing his disgust over a hack yesterday at its credit vendor Experian that compromised the personal information of about 15 million T-Mobile customers and applicants, and rightly so according to industry insiders who believe T-Mobile's image now may be badly tarnished through no fault of its own.
The breach affected all those who signed up for a T-Mobile account between Sept. 1, 2013, and Sept. 16, 2015, with unauthorized access being gained to customer's names, birth date, addresses and social security numbers, according to a statement by Experian North Armerica CEO Craig Boundy. He added that the breach did not impact any other aspect of Experian's business and that the server in question has been secured.
“It will be interesting to see the fallout. T-Mobile got a pretty bad black eye and I believe will seek some kind of restitution from Experian and I would not be surprised if there is a class action suit from the victims,” Chris Ensey, COO of Dunbar Cybersecurity, told SCMagazine.com.
Legere stated in a release that T-Mobile will conduct a thorough review of the company's relationship with Experian.
The other major issue the companies are dealing with is what threat is being faced by the customers involved. T-Mobile and Experian are offering free credit monitoring services to those affected, but Ensey and others expressed doubt that such action will benefit the victims.
“This is not a really legitimate tool anymore,” he said, instead suggesting the companies tell the people how to protect their information by freezing their credit.
“It's become commonplace to offer credit monitoring to victims of a data privacy breach, but other attacks could fall outside the monitored time period,” said data loss prevention expert Gord Boyce, CEO of FinalCode, to SCMagazine.com via email Friday.
Avivah Litan, a vice president and distinguished analyst with the research firm Gartner, said to SCMagazine.com that while identity theft is a concern, she believes the information taken will be used for a possibly even darker purpose.
“There is good evidence that China is buying it [stolen data] up on the dark web to use for intelligence purposes. China wants to create a database of every American so they can use it together intelligence,” Litan said.
Such a database would tell Chinese intelligence agents who works where so if they are interested in a particularly technology or piece of information they can go to the source, she said. As evidence Litan said that even though 150 million Americans have had at least some personal information compromised, very few - about 4 percent - have been financially impacted. Which brings up the question, she said, of “what is all the data being used for?”
Obviously, I am incredibly angry about this data breach..."John Legere, T-Mobile CEO
If not used for espionage purposes there is the distinct possibility it will be offered up to the highest criminal bidder, said Jerome Segura, senior security researcher at Malwarebytes Labs, to SCMagazine.com Friday in an email.
“Sadly, as with other recent breaches, this data will end up in the public domain and be available for download to other cybercriminals. Online crooks of all sorts will undoubtedly make use of the information in the future to target victims,” he noted.
While breaches themselves are not uncommon, Ensey said credit bureaus have been hit before citing general lax system security as the most likely culprit.
Phil Barnett, vice president of Good Technology, agreed.
“Many companies are still flying blind when it comes to security, because they still don't think it affects them. Data is a company's biggest asset, but they are not getting to grips with how to protect it in the new world order of mobile devices and cloud-based access. The security challenge won't go away and companies need to change their mindset in order to solve it,” Barnett said to SCMagazine.com via an email on Friday.
Litan disagreed, saying these companies understand the importance of the data in their charge and invest a lot of time and money on security.
Another area this incident exposed is the danger companies expose themselves to when a third party is entrusted with their information, said Fred Kost, senior vice president at HyTrust.
“If companies do not ask about, and require, details about the protection of their data -- including (important!) the use of encryption, monitoring and enforcement of access policies, and key management — it's not a question of ‘if'… they will find themselves in the same position as T-Mobile in the future,” Kost told SCMagazine.com in an email Friday.