NEW YORK (MainStreet) — The ugly news exploded last week: 15 million applicants for credit at T-Mobile have had their personal information stolen by hackers from a server maintained at Experian, the credit reporting agency. But then the news gets worse: very bad times are ahead for many of those 15 million, due to the nature of the stolen data.
And nobody knows exactly how the hack occurred. “There is not a ton of info on this,” admitted Christopher Budd, a security expert with Trend Micro.
For its part, T-Mobile has busied itself throwing mud at Experian. Said T-Mo CEO John Legere in a letter to consumers: “I am incredibly angry about this data breach, and we will institute a thorough review of our relationship with Experian.”
Experian, right now, shapes up as the bigger loser. Said Clay Calvert, director of cybersecurity for MetroStar Systems: “There are other two other companies [Equifax and Transunion] that monitor credit. Experian will be hurt more than T-Mobile.”
How did Experian get its hand on T-Mo’s data? Simple. When a consumer sought credit from T-Mo, T-Mo punted to Experian. Explained T-Mo in a q&a: “Experian maintains a historical record of the applicant data used by T-Mobile to make credit decisions. The data provides the record of the applicant’s credit application with T-Mobile and is used to assist with credit decisions and respond to questions from applicants about the decision on their credit application. The data is required to be maintained for a minimum period of 25 months under credit laws.”
Experian in its statement told about the breach: “Experian North America today announced that one of its business units...experienced an unauthorized acquisition of information from a server that contained data on behalf of...T-Mobile, USA, Inc. The data included some personally identifiable information for approximately 15 million consumers in the US, including those who applied for T-Mobile USA postpaid services or device financing from September 1, 2013 through September 16, 2015, based on Experian's investigation to date.”
“The data acquired included names, dates of birth, addresses, and Social Security numbers and/or an alternative form of ID like a drivers' [sic] license number, as well as additional information used in T-Mobile's own credit assessment,” Experian added.
Affected consumers have been offered two years of free credit monitoring via, surprise, Experian. Robert Siciliano, security expert with BestIDTheftCompanys.com, commented on the Experian role in protecting the victims.
“Credit bureaus aren't supposed to be breached," he said. "And if in any way they end up profiting, it would be just wrong.”
T-Mo’s Legere acknowledged how peculiar it might seem to depend on Experian to monitor the impacts of the data they lost on consumers’ credit. “I hear you re: Experian as service protection option," he said in a tweet last week. "I am moving as fast as possible to get an alternate option in place by tomorrow.”
At the time of publication, this story Legere had yet to name that alternative service.
Where this breach gets horrific is in terms of the data that was stolen. A credit card is easy to replace if it is compromised in a breach. Not so what was stolen here. A Social Security number, driver's license number and date of birth are gold to an identity theft criminal and, worse still, that data may not have been encrypted on Experian’s server. Said Legere: “Experian has determined that this encryption may have been compromised.” Experian had not responded to this reporter’s request for comment on Legere’s claim.
Even if the data had been encrypted that may not mean safety for victims. "It often is easy to decrypt encrypted data," said Calvert.
He added that on a scale of 1 to 10 in assessing how bad the damage in a breach is, he counted this a 7. "It's bad," said Calvert.
“This is a bad one," agreed Rurik Bradbury, chief marketing officer at Trustev, an e-commerce security company. "That's the problem for the 15 million. The amount of data is enough to do a lot of damage. Complete identities have been stolen.” The data crooks now have in hand is plenty to open new credit lines, file bogus tax returns, and in other ways steal identities for profit.
It also is data without an expiration date. A crook could comfortably wait two years for the credit monitoring to expire then get busy stealing. Advice from Siciliano is to sign up for the free credit monitoring but recognize its limitations, among which is that it does not prevent identity theft, although it may alert a victim it has occurred.
“Victims should also immediately initiate a credit freeze at all three bureaus,” Siciliano said. With a freeze in place, a crook is blocked because no new credit should be extended. Freezes can also be lifted if you decide you want to buy a car or get a new credit card.
As for how consumers are taking this, Michael Bremmer, a telecommunications expert in California, said he is a victim in the T-Mo breach, because he had upgraded to an iPhone 6. “I have been an identity theft victim twice," he said. "It sucks.”
Bremmer added about the T-Mo breach in particular: “I am mad. But what can I do? It is what it is.”
That angry resignation just may be the prevailing mood among T-Mo consumers. What can they do?