Experian Breached, 15 Million T-Mobile Customer's Data Exposed 161
New submitter Yuuki! writes: The Washington Post reports that T-Mobile's Credit Partner, Experian, has been breached revealing names, addresses, Social Security numbers, birth dates and driver's license and passport numbers for any customer who has applied for device financing or even services from T-Mobile which required a credit check. Both parties were quick to point out that no no credit card or banking data was stolen as part of the attack. The attack started back in September 2013 and was only just discovered on September 16, 2015. Both Experian and T-Mobile have posted statements on their websites and Experian is offering credit for two free years of identity resolution services and credit monitoring in the wake of the breach.
Two Free Years! (Score:5, Insightful)
Two free years of credit monitoring after the bad guys had two free years of access! Great work, Experian!
Re: (Score:3)
soon we'll all be Anonymous! (Score:2, Funny)
There's no way they're going to steal my identity again!
Passport numbers?!?!? (Score:2)
WTF would they have passport numbers for a T-Mobile phone?!?
It seems strange they'd even have a slot to store US passport numbers, considering that the vast majority of US citizens don't have or need a passport, eh?
That just struck me as odd that they'd have this stored associated with a mobile phone credit application.
Re: (Score:2)
They have this thing where they demand a second form of ID - they ask for a driver's license number, or a passport number. I protested and they settled for a student ID number, which in hindsight was a smart move.
Re: (Score:2)
Well, not everyone travels out of the country, I'd dare say a LARGE majority of folks never leave their state much less leave US soil.
If you're not leaving the country, why would you need a passport? And until the past couple years, you didn't even need a passport to run to Mexico or the Caribbean for the most part, just a drivers license and copy of your birth certificate, but after 9/11 that changed and you now need a passport. But I haven't left the country since those
Re: (Score:2)
Yeah, looked this up recently. Only about 1/3rd of US citizens even have a passport issued ever. That's no guarantee that they've even used it.
Re: (Score:2)
Re: (Score:2)
Interesting. So, I take it many more people in Europe have passports? If so, I'm guessing because some of the countries over there are so small and from what I understand in one day you can drive and cross 2 or more country borders.
For some reason, however, I'd thought with the EU formation, that y
Re: (Score:2)
from what I understand in one day you can drive and cross 2 or more country borders
In one step I've left one country, crossed another and ended up in a third.
But there are plenty of places in Europe where the quickest route from country A to B is via C, some countries so small that it takes a bad traffic jam to stop you crossing lengthways in a morning and generally it's pretty common to visit neighbouring countries on holiday, or even to go shopping or to visit friends.
Re: (Score:2)
and from what I understand in one day you can drive and cross 2 or more country borders.
Yep. Imagine driving across the Eastern states. There's been more than one day in my life where I've briefly visited three countries.
How do they all get around if they don't' have cars to drive?
Public transportation is pretty awesome, when well-implemented. A lot of people in Europe have cars, but a lot of them don't. If trains, streetcars, b
Re: (Score:2)
The universal document in the US is the driving license. Even people who don't drive get an ID card issued through the licensing agency.
Re:Two Free Years! (Score:5, Insightful)
I currently have 3 separate free credit monitoring services from prior breaches in other companies. I'm confident that I'll have perpetual free credit monitoring since the credit monitoring lobby is now rich enough to force congress to maintain the status quo.
Re: (Score:1)
I read their offer as "This is not the incompetence you're looking for [youtube.com]; we're still relevant; no-one's worth may be judged without our say-so! dammit!!"
Re: (Score:3)
Re: (Score:1)
Don't forget Janrain, Nativo and scorecard. Thank you Ghostery.
Electronic footsteps on the Breaches (Score:1)
What a shame, but nothing will really change once this is all hashed out.
Re: (Score:3)
...there won't even be the same sort of mass outrage associated with this. Only a few geeks will even notice or pay attention. Making it even less likely that anything will change.
Re: (Score:2)
...there won't even be the same sort of mass outrage associated with this. Only a few geeks will even notice or pay attention. Making it even less likely that anything will change.
Quite right. Even now (as millions of hard-earned credit ratings are threatened) the school shooting, the Vatican's elaboration on the Pope meeting Ms. Davis, and latest thing Trump said are bigger news stories.
Re: (Score:3)
I can at least understand the shooting becoming the top story for a while (if it bleeds it leads), but it's obvious how far the news media has fallen when "the Pope is Catholic" is headline news.
Phew, I was worried there for a second. (Score:5, Insightful)
Thank God my Credit Card numbers weren't breached, because those are impossible to cancel and replace. I'm so thankful it was only my Passport number, Driver's License number, social security number, full legal name, birth date, and address that were stolen, because those are a snap to cancel and replace.
Re: (Score:2)
Yep, and you know, it was so necessary for that easily changed and security irrelevant information to be recorded and saved on their servers FOR YEARS.
Re: (Score:3, Insightful)
I take it you are a foreigner who doesn't understand sarcasm.
Re:Phew, I was worried there for a second. (Score:5, Funny)
I was born in Sarcastistan, you insensitive clod!
Re: (Score:3, Funny)
So.... you were...(nt?) born there? I'm confused.
inadequate (Score:5, Insightful)
In corporatese, "I'm sorry" are empty words with no meaning without restitution and money.
Re:inadequate (Score:5, Insightful)
And as long as they have no legal liability for keeping this stuff safe, an insincere "I'm sorry" is all you will ever get. If corporations can hold your private data and have no consequences for having shit security, they will continue to do so.
For a credit agency to store that much personally identifying information and be hacked tells me that agencies like this need to have some pretty severe penalties for shit like this ... because they have pretty much everything required to steal your identify.
If we're going to entrust this data to these entities, we should sure as hell make certain we can actually trust them with it. And I would say that Experian has more or less demonstrated themselves to be incompetent to hold this information.
It really is time to stop letting companies treat this as "their" data, and realize they have an obligation to safeguard our data, and to be legally responsible when they fail to do so.
Re: (Score:2)
Re: (Score:2)
But what are you suggesting?
The problem is, if they can transmit the validating information, it can be stored and copied...and thus lost. That's the real reason all biometrics are an inherently bad idea.
Re: (Score:3)
We do have a choice. We can either trust others with our information, or we can live without the modern services they provide.
You can live without telephone or Internet service. You can live without credit. You can live without running water, electricity, cable TV, or any other privatized "public" utility. There's your alternative choice.
For most of the last century, America has been opposed to widespread government control. Out of a fear of "socialism", we campaign against raising the government-supplied s
Re: (Score:2)
I presume by "assets" you mean their "wedding tackle" - yes freeze with liquid Nitrogen.
Re: (Score:2)
Identity Theft (Score:5, Informative)
As an identity theft victim, let me say that "no credit card or banking data was stolen" means nothing. With name, address, SSN, and birth date compromised (as well as driver's license and passport numbers), anyone can now open new lines of credit in the names of any of the 15 million people whose information was accessed. And the two years of "credit monitoring" will do almost nothing. Fraud alerts won't either - those are voluntary.
My recommendation if you are one of the 15 million people is to freeze your credit [ftc.gov]. This will stop ANYONE from opening a new line of credit under your name unless you first thaw your credit file. It's a royal pain in the rear when you need to do things like refinance a loan, but it's better than having a collections agency banging down your door because you owe $5,000 on a credit card that "you" opened.
Re:Identity Theft (Score:5, Interesting)
I second this advice, I did this several years ago. It should be noted, however, that the three credit record agencies cannot prevent someone from getting credit in your name. The system relies on the intuition, and it is only that, that any self-respecting credit issuing entity will require a credit record (and a good one, at that) before issuing credit. If Joe's Bank and Bait Shop wants to issue someone a credit card in your name and doesn't give a flying rat's ass about your credit history, they are free to do this.
There is no national system to prevent credit from being authorized in your name, even to aliens from other worlds.
Re:Identity Theft (Score:4, Interesting)
It should be noted, however, that the three credit record agencies cannot prevent someone from getting credit in your name.
Yep. A shady car dealer in Nevada City gave an illegal with my SSN written on a check cashing card credit in my name, and now it's on my credit report. The whole idea that this can even happen is proof that the system is broken. I shouldn't have to appear to fight this, no court should have granted a judgement on the basis of a CHECK MART card with my SSN written on it in pen.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Agreed; indeed both my immediate neighbours were recently granted credit and they're gelatinous CO2-respiring life-forms from out of town. Curiously, I've been repeatedly turned down, despite paying-off every one (of fifteen credit records) loan, hp agreement etc. with only two missed payments since my credit history began.
I'm more interested in their ability to perform their core task of deter
Re:Identity Theft (Score:5, Insightful)
You know the best part? The best part is that in order to do that, you get to PAY A FEE TO THE SAME GODDAMN FUCKERS WHO LOST THE INFORMATION IN THE FIRST PLACE!
(There is no "..." step; this is actually Experian's business plan!)
Re: (Score:2)
Don't forget that you need to pay each of the three major credit agencies. Also, if you're married and applying for a loan, your spouse and you need to pay separately. If my wife and I want to thaw our credit, it costs us $30. Awhile back there was a bill in Congress that would have made it free to freeze your credit, but the credit agencies, credit card companies, etc all lobbied against it. They see frozen credit as lowered profits (since you can't open new lines of credit on a whim). The rash of ide
Re: (Score:2)
With name, address, SSN, and birth date compromised (as well as driver's license and passport numbers), anyone can now open new lines of credit in the names of any of the 15 million people whose information was accessed.
And that's why in backworld countries you are required to provide some government issued photo ID when you open a bank account. Just saying.
8ts (Score:1, Offtopic)
The apostrophe should go after the 's'.
Re: (Score:2)
No, it should go between the two esses.
Experian (Score:5, Interesting)
Re: (Score:3, Insightful)
Re: (Score:2)
Fuck You, Experian (Score:5, Insightful)
Guess what they're not giving you? Your actual credit report. You just get the abbreviated version, so you can't actually look it over and see if this generally corrupt industry is fucking you. They will, however, sell you your credit report at a special members-only price. So what's happened here basically is that Experian is getting free advertising and T-Mobile is going to get off without punishment.
Fuck you Experian, and fuck you T-Mobile.
I already said fuck T-Mobile since they cancelled the PAYG plans I've been using, but fuck them twice now.
Are there ANY US mobile providers from whom I can buy a PAYG SIM which are not total fucks?
Re:Fuck You, Experian (Score:5, Insightful)
None of this should be surprising. The credit reporting services are in business to please their customers, the credit issuers. People who apply for credit are part of the product.
I would even go so far as to argue that the credit reporting agencies have an incentive to make your credit report as bad as possible, since the worse the report, the higher the interest rate you get charged for borrowing money. And the good news for creditors is that it doesn't force them to be more competitive, since they're all competing against the same view of your creditworthiness. Erring on the side of reduced creditworthiness lets creditors charge a higher interest rate for a risk that isn't elevated.
My conspiracy minded side says this is why erroneous credit data is hard to remove and why credit reporters want to use non-financial correlates (like driving records) as part of your credit score -- something you can't ever get removed yet makes your credit report look marginally worse, thus making you a more profitable creditor via higher interest rates.
Re: (Score:3)
Lenders want to lend. If the credit-worthiness data does not correlate well with ability to repay, lenders cannot efficiently lend and will look for a different service. The number of participants in this space might make this a slow change, but normal market competitiveness has the opportunity to have effect.
Re: (Score:2)
FTFY
Re: (Score:2)
If the credit-worthiness data does not correlate well with ability to repay,
None of this changes the desire of the lenders to charge more profitable interest rates nor the desire of credit reporting agencies to have their scoring seen as more profitable. Since lenders are inherently risk-averse and profit-oriented, they have an incentive to lend at the interest rate that represents the highest possible risk and highest possible profit.
There's almost no way for a credit reporter to lose by reporting clients as worse risks than they really are. If a lender has a loan go bad and the
Re: (Score:1)
Each of the major credit reporting agencies must supply you a complete credit report annually upon request. Come on, this is not new.
https://annualcreditreport.com... [annualcreditreport.com]
Re: (Score:2)
Each of the major credit reporting agencies must supply you a complete credit report annually upon request. Come on, this is not new.
https://annualcreditreport.com... [annualcreditreport.com]
Technically, that is true. I've got mine in the past this way. But is there a penalty if they do not comply?
The Credit Agenccies make it a total pain to get the free report, and try to up-sell you crap left and right. I've had them give me "high traffic; try again later" a few times, too.
I ordered mine, on paper, two months ago. None have yet arrived.
Re: (Score:2)
Yeah, I ordered one once, I never got it, I didn't bother to try again. It's all just a scam to sell you shit.
Re: (Score:2)
Are there ANY US mobile providers ... which are not total fucks?
No.
There are only varying degrees of total fuckishness and, as far as I can tell, T-Mobile is the best of the bunch. Maybe you can find a trustworthy local MVNO, but even then most of the money you pay them will still be supporting one of the big 4.
Re: (Score:2)
Are there ANY US mobile providers from whom I can buy a PAYG SIM which are not total fucks?
Cricket Wireless (subsidiary of AT&T [wikipedia.org]) and MetroPCS (partnered with T-Mobile [wikipedia.org]) provide pay-as-you go service for both companies.
I've used both since I bought a off-contract phone and had no problem with either. I settled with Cricket because of coverage where I'm living in central Texas.
Re: (Score:2)
So far, I've had good luck with ting.com
They only support 2G for my phone, but I might try them for a non-internet plan since that's effectively what I have now.
No Ting for Me (Score:2)
"numbering services not available for that area"
whatever the shit that means
T-Mobile breached? (Score:1)
Re: (Score:2)
Re: (Score:2)
Does this actually have anything to do with T-Mobile? From the sounds of it, it's Experian that was breached, and the attackers mostly (though not exclusively) took TMo subscriber info. TMo's own security wasn't compromised.
I suppose you could argue that TMo should have gone with somebody more responsible / secure than Experian, but is there actually any such entity that provides the necessary services? As low as Experian sets the "not complete shit" bar, are the other credit agencies actually any better? T
Requirement to be forgotten (Score:5, Insightful)
One of the best things that can be done to prevent data breaches is require that data be deleted after a certain time. I don't see a good reason why 15 million customers should have their data retained after the credit check is complete. It won't stop breaches, but it would limit their scope. There also needs to be severe penalties for negligent security or failing to notify customers in a timely manner. Better yet, eliminate social security numbers for identification altogether outside of social security and (maybe) tax purposes. And it's no surprise that a credit bureau was attacked. They're gold mines of information waiting to be compromised. I'd like to see particularly strong regulation of these companies. Consumers don't really get to opt in, but this personal information is stored and can be compromised easily. That doesn't seem fair at all to me.
Re: (Score:2)
Re: (Score:2)
Credit scores reasonably include attempts to acquire more credit (which is what most phone contract really are, even if month-to-month), so it wouldn't be possible to delete data after a credit check is complete.
Note: it is possible escape the credit-check part of the equati
Re: (Score:2)
The credit bureaus need to keep identifying information on everyone. Otherwise, they couldn't keep credit ratings up to date, and they couldn't even give my score to anyone as they wouldn't know that that was my score.
It appears that what was leaked was identifying information, which they really have to keep.
My Social Security number is fine for identifying me. It really, really sucks at verifying that I'm me. The idea that someone who knows the number I am required to tell many different people mus
so there will be even more iphones on craiglist? (Score:1)
There is ONLY one thing to do! (Score:1)
Re: (Score:2)
"Fees vary based on where you live, but commonly range from $5 to $10'
Wonderful how these Aholes can charge us to freeze our credit, and then charge us to unfreeze it.
Experian Credit Breach (Score:5, Insightful)
Experian is offer a two year free credit monitoring in connection with the breach of their system. In order to sign up for the two year credit monitoring they require you to provide your full identity; SS number, birth date, etc. Isn't that just the information that was just compromised in their system??? How do they think they can be trusted??? This does not resolve the problem of their lack of network security with sensitive information.
Make PII Go Away (Score:4, Insightful)
This information is used for identifying a person or proving identity so it's an authentication problem. We can do better! We have public key encryption. The government issues you a key pair (say, embedded into a photo ID, which we all have already) and now you can prove your identity without giving someone an irrevocable secret.
Authentication is also two factor: You have an ID and you know a PIN (or passphrase). If you lose your card, then your identity is not immediately compromised because it is protected by your PIN. This gives you time to have the gov't revoke your old key pair and issue you a new one.
In the case of the credit bureaus (I think we can all safely assume credit isn't going away any time soon), they associate your credit history with your public key and nothing else. If the key is revoked (by the gov't), then they move your file to the new key. No one can take out credit using the old key. In fact, any attempt could be reported to law enforcement.
The entire US Department of Defense has been using a system like this for years now and has by and large done away with things like passwords and hand signatures, especially for the things that matter most.
Is this completely foolproof to prevent someone impersonating you? No, but it is much better than having your SSN and other PII out on some forum where just anyone can use it for nefarious purposes and would be well worth its cost and complexity. The greatest obstacle is the credit bureaus having nothing to gain in actually protecting their "customers'" data because then to whom will they sell credit monitoring?
Re: (Score:2)
Most people can deal with a number on a piece of paper. Most people are going to have real problems with handling a private key, having it available whenever desired while keeping it secret even if their computer is taken over and not losing it.
Re: (Score:2)
The drawback is that most computers these days do not have a smart card reader. USB would
Still too much uncertainty of the size of exposure (Score:5, Insightful)
"15 million". Huge number. It usually takes the power of the US Federal Government [wikipedia.org] to screw up this big.
But one thing is not clear from TFA, let alone from the slightly misleading TFS.
This is an Experian hack, not a T-Mobile hack. What makes any "expert" think the exposure is limited to someone who interacted with T-Mobile? Experian is one of the awful ubiquitous unavoidable facts of life, much like the Government (see above). If you have participated in any non-cash financial transaction, they probably have a file on you.
What are the particulars of this breach that make it strictly an "Experian interacting with T-Mobile" risk? Experian is huge, and if you're counting on some kind of strict internal data partitioning within the company to restrict the attack area to "T-Mobile applicants" you're too naive to sit with the grown-ups.
Seriously. Why the fuck isn't this a maximal-sized no-holds-barred every-file-Experian-holds breach?
Re: (Score:2, Informative)
Experian partitioned clients apart from one another. The breach hit their T-Mobile systems, which is why they are mentioning it only affects T-Mobile customers. But, you are right not to trust Experian, if it happened to one of their systems it could be happening as we speak to any other of their clients. It could also be happening to any of the other credit partners or banks as well and we'll find out in the coming years. My father used to work for a large bank, he would always tell me stories of breaches
Re: (Score:2)
Ah, "dedicated accounts." That's just exactly like physical isolated network and storage architectures, right? So that if a cracker has, let's pretend*, a whole two years to poke around, they can't get through the impenetrable internal partitions between accounts.
*facepalm*
Air gap or GTFO.
*And by "pretend", I mean "since they actually had two years undetected"...
Good news, everyone! (Score:1)
This is a good thing, and inevitable. (Score:1)
These breaches are a good thing, because they are forcing evolution.
Something we in IT have always known, is that security cannot be solely applied through obscurity. There will always be opportunity, tools and motivation that expose it.
This has never translated into other information sensitive disciplines, and right at this moment we have a tremendous amount of fragility in our financial and personal identification infrastructures because there is no concept of authentication.
That has to change. More of
Re: (Score:2)
No matter how many times these breaches happen, we won't "evolve" a response because there are big financial companies whose profits rely on accumulating and easily accessing our credit files. Those companies will use their lobbying might to kill any reform bills that even slightly smell like they might slightly inconvenience them in the pursuit of protecting people. They might allow some useless "feel good" legislation to pass, but you can be sure they won't let any consumer protections "evolve" because
What I want to know is .. (Score:1)
What I want to know is - in this day and age - what this data was doing on a server, connected to the Internet in an unencrypted form.
Perfect irony (Score:2)
I went to the Tmobile site and what happened?
I got a popup saying "T-Mobile wants to know your location"
How fucking ironic.
2 years? (Score:2)
The information actually stolen is far worse... (Score:2)
The Washington Post reports that T-Mobile's Credit Partner, Experian, has been breached revealing names, addresses, Social Security numbers, birth dates, driver's license and passport numbers
Both parties were quick to point out that no no credit card or banking data was stolen as part of the attack
Great, so the banking and credit card data--which would only lead to fraud for which the individual would not be held accountable--wasn't stolen. But all the most valuable data for applying for fake credit and identity theft was! Much harder to fight off fake accounts then fake charges on a valid account.
This should go beyond just two years of free monitoring... what do I do when someone is out there impersonating me? Hope I have an alibi when they come looking for mr, but that's sort of tough to do
Re: (Score:2)
I'm an identity theft victim, albeit a lucky one who caught it early before too much damage was done, and it was scary when someone opened a credit card in my name. What's scarier, though, is if a criminal is arrested and gives your name/SSN/DOB. I used to read the blog [blogspot.com]
Re: (Score:2)
The hideous thing is that identity theft doesn't even need to be intentional. My wife got hit with the bill for a MAN who died in a hospital in a different city. They had the same name, but no other similar characteristics. And it STILL took years to fight through. The bank the hospital used sold the debt to a collection agency (well, more than one, actually) who wouldn't even take a death certificate as proof that she wasn't him.
Say something bad about the financial credit system and I'll believe it wi
Re: (Score:2)
The bank the hospital used sold the debt to a collection agency (well, more than one, actually) who wouldn't even take a death certificate as proof that she wasn't him.
Why bother to prove it to them? You've told them, they ignored you, what are they going to do next? Absolutely nothing unless they want suing into oblivion.
Re: (Score:2)
Because it goes into your credit history...and to get them to stop calling every half hour. (I exaggerate, but that's what it felt like.)
Re: (Score:2)
If it goes in your credit history, they've told lies about you. Sue them.
If they keep harassing you, ask the police to arrest them for harassment.
Re: (Score:2)
I don't have a lawyer on retainer, so suing them would have cost me quite a bit. And it did, eventually, get straightened out. (I *was* thinking of suing them before we finally straightened things out, though. But collection agencies are in a different state...if they tell you where they are. They intentionally don't make things easy, as if you just pay them off they win.)
Thank God (Score:2)
Re: (Score:2)
Whenever I talk to my father about my identity theft and subsequent credit freeze, he tells me I should just change my SSN. Apparently, you *can* do that. However, it's not an easy process and I'd need to contact anyone who legitimately* has my SSN to update that. Once again, a criminal can do damage in one hour that the victim will be cleaning up for years.
* SSNs shouldn't be used as unique identifiers at all so read "legitimately" to mean "they shouldn't need it, it shouldn't be a unique identifier, bu
Re: (Score:2)
Re: (Score:2)
"there is no legitimate use for multiple names tied to a single number"
They are called 'aliases'. I have three IRL, all caused by misspellings in the past.
One on a store credit app, somehow they could not get my five-letter last name correct. Ignats.
One on a debt collection report for a university in a state I had never set foot in. When I asked for my academic records and diploma in exchange for a $200 bookstore bill, they relented and only called me every three years.
One on a mortgage app, which to thi
Re: (Score:2)
Re: Oh boy. (Score:2)
That is a good as it will get. SSA can't prevent those errors or criminal acts.
Re: Oh boy. (Score:2)
My sister and I have SSNs that are one digit apart; sequential; lsd.
This causes problems. We cannot ever have accounts at the same damned bank, nor the same sort of credit at the same issuer.
And no, this should not be a problem. Data is data.
How about (Score:2)
No big deal (Score:2)
>revealing names, addresses, Social Security numbers, birth dates and driver's license and passport numbers for any customer
but no credit card numbers or banking data (other than your names, addresses, Social Security numbers, birth dates and driver's license and passport numbers)
>Experian is offering credit for two free years of identity resolution services and credit monitoring
Were you really planning on living longer than that?!
The Unforgiven (Score:2)
Free credit reports for 6 years (Score:2)
It's now been 6 years since I've had to pay for credit reports because of all the breaches my data has been involved in.
well (Score:2)