If you’re a T-Mobile customer and you underwent a credit check for service or device financing from September 1, 2013 through September 16, 2015, you may be affected by the latest large-scale data breach. If you are, you’re not alone: reports indicate up to 15 million people may be affected.
In this most recent incident, the attack wasn’t against T-Mobile. Instead, it was against Experian who processes T-Mobile’s credit applications. This data breach is another example of a company being affected by one of its vendors.
This is similar to the Heartland Payment Systems breach in 2009 and shows how companies responsible for processing financial information continue to be a weak link in the chain.
Attackers were able to get critical customer information including:
T-Mobile has said the Social Security Numbers and ID numbers were encrypted. However, they have also indicated that, according to Experian, the encryption may also have been compromised. (Experian has not said that information was encrypted, nor that the encryption was compromised).
Both T-Mobile and Experian have indicated that attackers accessed a server to steal the information. This is all the detail T-Mobile and Experian have provided so far.
However, while they’ve not said the exact cause of the breach, we can use this information to make some informed suppositions:
In short, this looks like a classic APT-style attack.
To T-Mobile and Experian’s credit, the data breach was quickly discovered and addressed, and their notification to affected customers is one of the fastest we’ve seen yet (within two weeks of the event). Additionally, both T-Mobile and Experian have already provided information on their websites.
If you’re affected by this incident, you should sign up right away for the two years of free credit monitoring currently being offered.
Furthermore, this incident underscores the necessity for both companies and individuals alike to share the cybersecurity responsibility. It is incumbent upon organizations like Experian to invest in breach detection solutions such as Trend Micro Deep Discovery to protect their customer’s data. Individuals should also obtain real-time credit monitoring to better protect themselves from these situations.
As we indicated in our data breach report, these events have become much more common since 2009. And while it’s been a while since we’ve had a retail data breach of this size and scope, this is a reminder that the problem hasn’t gone away and isn’t likely to go away anytime soon.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.