back to article 15 MILLION T-Mobile US customer records swiped by hackers

Experian's servers have been hacked – and now sensitive files on 15 million people who applied for T-Mobile US contracts have fallen into the wrong hands. In a letter published today, T-Mob boss John Legere said miscreants got hold of the database Experian uses when performing credit checks on folks enrolling for phone …

  1. This post has been deleted by its author

  2. Number6

    Compensation

    So you get two years free monitoring. Are they also going to pay for any losses incurred as a result of the breach, whether direct losses or more subtle ones such as a higher interest rate on a loan due to issues with a credit report?

    1. g e

      Fox, Henhouse

      See title

    2. elDog

      Re: Compensation - via another screwball

      None of those "credit monitoring agencies" hire any of the best or the brightest as far as the technical side of things.

      They may be good at marketing, especially to other mega-corps. All it takes is booze, some gals with died hair and long legs. (And my apologies to women, maybe booze/stuff is enough.)

      1. ardichoke

        Re: Compensation - via another screwball

        Not to mention the credit monitoring agency in question is owned by Experian, AKA the company that was compromised in the first place! Plus, from what I hear, you have to fork over a CC number for the "free" service and canceling at the end of the free period is a pain in the rump to do. It's almost like they're letting themselves be compromised as a way to drum up credit monitoring business. Talk about a conflict of interest.

  3. Jim-234

    I call BS on Experian's claims

    So the hackers got in and ransacked "only" the servers with T-Mobile's customer's data?

    I call BS on this, my guess is they lost a lot more data than they will admit.

    But wait... they offer to sign you up for their own credit monitoring service.... because you can really trust them to be secure....

    I told T-Mobile I specifically didn't want to give them my social security number because of this possibility and they told me they couldn't give me service if I didn't cough up the information, but that the information was not going anywhere else...... Time to have fun being really unpleasant to their customer service department.

    The big Experian campus in Dallas is a huge complex, but interestingly no signs or placards on the building saying who is there... of course being on Experian Parkway kind of gives it away..

    1. a_yank_lurker Silver badge

      Re: I call BS on Experian's claims

      Since Experian was hacked, I would expect other Experian accounts to be hacked.

    2. tacitust

      Re: I call BS on Experian's claims

      Not necessarily. While obviously their security has failed in this case, there is no reason to believe they would lump everything into one database, or even use the same systems shared across multiple client accounts. It's likely, in fact, that when they won the contract with T-Mobile to handle their credit checks, T-Mobile would have required them to keep their data completely separate from their other clients.

      No need to jump on the conspiracy theory train at this time. If the breach is wider, it will come out sooner or later. If Experian doesn't stay ahead of the game, they know it will cost them dearly.

      1. Anonymous Coward
        Anonymous Coward

        Re: I call BS on Experian's claims

        If Experian doesn't stay ahead of the game, they know it will cost them dearly.

        If they know that, why was their security so poor as to let sensitive data like this get hacked?

        I say that Experian don't really care. Yes, there's probably a lot of good practice going on there, but when your sole job is handling sensitive data that's not enough. If that's your day job, you need to be bullet proof. Mind you, the turds at a UK mobile retailer (an incompetent division of Dixons Carphone) recently managed to achieve the same outcome without obvious assistance from Experian.

        Unfortunately (for the UK at least) the penalties for data protection breaches are minimal, because all of the regulation is designed around the assumption that data protection is only about stopping spam marketing.

      2. Gnosis_Carmot

        Re: I call BS on Experian's claims

        It may not be the same database, but I'm betting they used the same service accounts across systems or the same servers for different customers. Unless there is an air gap the systems of others are always going to be reachable somehow (flaws in VM engine/routers/etc)

  4. Destroy All Monsters Silver badge
    Facepalm

    Freely accessible from the Internet!

    Clearly we are in the epoch of "Doxx Quantitative Easing". The market value of the info will go to nothing as duplicate records fill mobster Excel sheets...

    1. Anonymous Coward
      Anonymous Coward

      Re: Freely accessible from the Internet!

      Maybe, but their databases will be accurate...

  5. Bota

    User name : admin

    Password: admin

    ?

    1. Gnosis_Carmot
      Devil

      Nope -

      Username : SA

      Password : password

  6. Mark 85 Silver badge
    Facepalm

    He's furious with them because they got hacked and the miscreants ransacked his DB's that they had access to. Oh.. and his DBs were unencrypted.<facepalm>

    I think he needs to have his company's security practices re-examined:

    1) Perhaps, the miscreants couldn't get Experion's because their DBs were encrypted so they went after the low hanging fruit?

    2) And why wasn't the T-Mobile DB cleaned up after the credit checks were run? That would ensure minimal customer exposure to attack?

    1. Doctor Syntax Silver badge

      "And why wasn't the T-Mobile DB cleaned up after the credit checks were run? That would ensure minimal customer exposure to attack?"

      Exactly this. Or are they trying to tell us that they handled nearly a million applications a day (the breach is said to have run for about 16 days and there were 15 million records stolen).

      1. Version 1.0 Silver badge

        "And why wasn't the T-Mobile DB cleaned up after the credit checks were run? That would ensure minimal customer exposure to attack?"

        Because regardless of whether the applicant is approved for a phone contract, their application is valuable information that you can sell to other marketers. - check the small print when you apply.

        1. cybersaur
          Unhappy

          There oughtta be a law!

          It should be illegal to sell or give away customer information. I'm sick of being the product.

          Opting out from every company that wants to sell our personal data is completely unreasonable. It just needs to be illegal with criminal penalties for the management that implements such policies.

    2. Anonymous Coward
      Anonymous Coward

      Because the system admin/dev team was moved to another priority project? Maybe changing icons to the latest "flat style", now in from the "3-d glossy style".

    3. Anonymous Coward
      FAIL

      T-Mobile didn't get hacked, Experian did.

    4. Pax681

      <blockquote>

      He's furious with them because they got hacked and the miscreants ransacked his DB's that they had access to. Oh.. and his DBs were unencrypted.<facepalm>

      I think he needs to have his company's security practices re-examined:

      1) Perhaps, the miscreants couldn't get Experion's because their DBs were encrypted so they went after the low hanging fruit?

      2) And why wasn't the T-Mobile DB cleaned up after the credit checks were run? That would ensure minimal customer exposure to attack?

      </blockquote>

      easy to answer.. HE didn't have unencrypted DB's it says clearly that TMobile's own Data on their own network was safe and secure.

      It's Experion who run the service FOR AND ON BEHALF of TMobile.

      read and comprehend!

      The security policies that need examined are Experions!

      1. Mark 85 Silver badge
        Pint

        Yep... I totally misread that....It's been a long day at work. I'll buy you a beer on my way out as my penance.

  7. Your alien overlord - fear me

    Don't worry, it was all a big misunderstanding.

    Experian thought they could sell T-Mobile data to anyone without asking permission. Their lawyers have just noticed this and to protect themselves from lawsuits/class action etc. they claim they were 'hacked'. All your private data will obviously be used for spam (email and postal) - by the original purchasers. So no worries Legere, it's all sorted now :-)

  8. Anonymous Coward
    Anonymous Coward

    That swiped information was collected from people between September 1, 2013 and September 16, 2015, one day after Experian said it discovered the network intrusion.

    It took them 2 years to realise someone had access and it took one day to fix the problem. My fishy-o-meter is tingling.

    Edit: btw there is no plaice for jokes about this

    1. zerowaitstate

      My bet is stale user account

      If it was this quick to fix, chances were it was an old user account that had never been removed, or some other abuse of misconfiguration of permissions/accounts. I also think it's highly unlikely it just pertains to T-Mobile customers, but given that the news originated from T-Mobile, who for liability reasons cannot discuss any other parties.

    2. Version 1.0 Silver badge
      Devil

      AC "there is no plaice for jokes about this"

      ROTFLMAO - of yes there is - what makes you think that this isn't happening on your other accounts? Of course the providers will deny it (Well, you'd expect them to say that wouldn't you) but the simple fact is that the ONLY safe assumption is that all your data out there is compromised.

      We hear this time and time again - it's just a data breach, it's been fixed, the guilty parties will be ... well, maybe spanked if we can find them but most likely they will get away with it.

      Nope, I'm not trolling this - I'm simply being realistic. The only way to deal with these people is to treat them (and their claims of data security) as a joke - because it's absolutely clear that unless you are worth money to them, they don't give a monkeys about you. "Two years free credit reporting" - ha ha ha ha ... they will just sign you up and sell your data to someone else - Experion will make money on this breach in the long run.

      1. Anonymous Coward
        Anonymous Coward

        Re: AC "there is no plaice for jokes about this"

        Ahem

        ......"My fishy-o-meter is tingling.

        Edit: btw there is no plaice for jokes about this"

        Read and re-read until you have an "Oh I see it!" moment.

  9. Chairo

    additional information?

    ... and what Legere would only describe as "additional information" used for credit checks.

    Never mind the breach and all the trouble it causes their customers, but it would be really interesting to see what kind of "additional information" they gather for credit checks.

  10. oneeye

    Sadly the Encryption was Compromised ?

    Well then,Sadly, let the lawsuits begin! And to give "free id protection" from their own service? There is no penalty to the idiots. I would think an alternative service be offered to those who say screw you. And I would demand ALL my personal information be removed from their servers,forthwith too. Just in case someone else has a crack at them.

    And if I'm not mistaken, I think these bozos have Been hacked before,and or been involved in some other controversies.

    1. Destroy All Monsters Silver badge

      Re: Sadly the Encryption was Compromised ?

      Back in the early noughties they had bad data on customers' credit record, basically shitting over them with no recourse.

      Don't know whether fixed.

      Probably not.

    2. Version 1.0 Silver badge

      Re: Sadly the Encryption was Compromised ?

      Probably ROT-13

      1. elDog

        Re: Sadly the Encryption was Compromised ?

        ROT-13 - no, a much harder to decipher ROT-26/0.

  11. Anonymous Coward
    Anonymous Coward

    It might be just T-Mobile data

    Given the tiny amounts of information available to us I suspect Experian hosted a database of T-Mobile data and opened up an API/web service to allow external access to that data. So then T-Mobile could get at that data whenever they wanted. Experian's other databases would be secure because the web service didn't have access to them. Experian employed their best people to set up the web service so that when you ask it for information about an applicant you have to transpose the letters of the applicants name, so that A becomes B and B becomes C. Somehow a Chinese maths genius broke that code.

  12. elDog

    The first thing that any entity (gov,com) does is to give "free" credit

    rating services via Experian and other gobsnackers. And they'll need all your vitals to do their credit analysis. Altho this analysis flows via pipes into China, Russia, Israel and other technologically advanced countries. No sense piping it to the USofA since we're so brain-focked. Sad!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021