Experian Breach Exposes Info Of 15M T-Mobile Customers; Partners Not Affected
A breach at credit services provider Experian, announced late Thursday, exposed the personal information of more than 15 million T-Mobile customers who were using the company's services, though a company spokesperson told CRN that partners were not affected by the incident.
According to a statement from Experian, the company discovered on Sept. 15 that there had been unauthorized access to a company server that contained personal information on T-Mobile customers who had applied for the telecom vendor's postpaid services, which have been handled by Experian since Sept. 2, 2013. T-Mobile said its own systems and network were not compromised in the incident.
Because of segmentation, Experian said data from customers' credit cards and bank accounts was not compromised. However, it said personal customer information was compromised, including names, addresses, Social Security numbers, dates of birth, and identification numbers (which could include data from a driver's license, military ID or passport).
[Related: The 10 Biggest Data Breaches Of 2015 (So Far)]
A T-Mobile spokesperson told CRN that, while the investigation is ongoing, the company does not believe at this time that any partners or partners' clients were affected. Experian said it will notify customers whose personal information was affected, and will offer them two years of free credit monitoring services.
Experian said it will now take steps to ramp up its internal information security systems, including accessing and removing malware and improper connectivity, isolating the affected server and associated systems, engaging law enforcement and increasing their monitoring of the affected server and associated systems.
The Experian breach is only one of many recent breaches that have targeted aggregated sources of customer information, instead of the vendor itself. Most recently, that trend was seen in targeted attacks on health insurance companies that hold vast amounts of sensitive healthcare data, including Excellus, CareFirst, Anthem and Premera.
"A company like Experian, to whom other massive firms like T-Mobile hand over huge volumes of data, is a natural target for attack. This is why the old (but apocryphal) story says that when they asked the thief why he robbed banks, he said 'Because that’s where the money is,' " Jonathan Sander, vice president of product strategy at Lieberman Software, said in an email to CRN.
That will be a trend that continues as "bad guys" continue to target companies with vast pools of data, either for monetary gain or other motivations, said Jeff Schmidt, CEO and founder of JAS Global Advisors, a Chicago-based high-end security consulting firm that focuses on the financial and government verticals.
"I think it's reasonable to conclude that wherever the data is, it will be targeted," Schmidt said. "If you do have these one-stop-shop aggregators, it's convenient for both the good guys and the bad guys."
Schmidt said the breach is yet another sign that companies, particularly those holding sensitive data like Experian, need to step up their game when it comes to security.
"A company like Experian should be better than this at this point," Schmidt said. "I would expect a company like Experian to be better by now than having a routine, pedestrian breach like this."
In particular, Schmidt said the breach underscores how companies like T-Mobile need to more thoroughly evaluate their third-party vendors when it comes to cybersecurity. While full-scale audits can be expensive, Schmidt said it's important to trust and verify in areas that are mission critical to the business or contain risky information.
"[The Experian breach] underscores the importance of managing business partners and business relationships and understanding what the exposure is and who has your data," Schmidt said.
PUBLISHED OCT. 2, 2015