Analysis The IT security breach that spilt the personal details of an estimated 15 million T-Mobile US phone contract applicants has thrown a new spotlight on the risks of breaches at third-party companies.
T-Mobile's own systems weren't compromised. Rather, the source of the leak was Experian, the company that processed the carrier's credit applications.
Experian reckons the data lifted from its computers included names, addresses, and dates of birth that were stored unencrypted. No payment card or banking information was leaked. But the hacked databases also included encrypted fields containing such information as "Social Security number and ID number (such as driver's license or passport number), and additional information used in T-Mobile's own credit assessment" – and "encrypted" may actually be too strong a word.
"Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible," T-Mobile US chief exec John Legere said in a letter to customers.
The leak was an "isolated incident over a limited period of time," according to Experian – where "limited period" should be taken to mean several years. Unidentified hackers obtained access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services between September 1, 2013 and September 16, 2015. Law enforcement agencies have been notified.
"This is yet another example of a 'long lived' attack which has taken years to come to light and of a third party provider who 'lost' information that was entrusted to them," said Guy Bunker, VP of products at security software firm Clearswift.
Experian is notifying the individuals who may have been affected and is offering free credit monitoring and identity resolution services for two years, and it says it has taken additional (unspecified) security steps to help prevent future incidents.
Somewhat ironically, Experian has become a leading supplier of credit protection services that monitor whether consumer data exposed through leaks has actually been abused in attempts to carry out identity theft. Clients expect the highest level of security from Experian, whose reputation has now been called into question by the T-Mobile data breach.
"While [Experian] say that this is only a part of their business, how can we be sure?" Bunker said. "After all it has been happening for two years without their knowledge. Can we be 100 per cent sure there is not more malware in their infrastructure they haven't found yet? How confident can we now be that they have adequate security solutions across the business to prevent data loss?"
The biggest immediate danger is that leaked data from the breach could be used to put together especially convincing phishing attacks designed to extract missing pieces of information needed to carry out identity fraud or other such scams.
"The information stolen from Experian can be combined with data from other sources and potentially used in sophisticated attacks," said data loss prevention expert Gord Boyce, chief exec of FinalCode. "It's become commonplace to offer credit monitoring to victims of a data privacy breach, but other attacks could fall outside the monitored time period."
Mark James, security specialist at IT security firm ESET, added, "End users data will be used for criminal activity that could include identity theft or more targeted attacks to gain as much info as possible from this breach. As T-Mobile were the initiating holder of the data they will need to answer to the public and offer some kind of financial protection for anyone affected that may include credit protection services."
Luke Brown, VP at data loss prevention firm Digital Guardian, said, "While many businesses are placing more emphasis on their own data protection these days, it's easy to forget third parties in the supply chain pose just as much of a risk to security. Simply assuming that suppliers and partners have adequate protection in place isn't good enough, steps must be taken to ensure that critical customer information is protected regardless of where it is in the supply chain."
"Ultimately, T-Mobile's customers aren't going to care where and how the breach occurred, the bottom line is they trusted T-Mobile with their sensitive data and now that trust is broken," Brown added. ®