15 MILLION T-Mobile US customer records swiped by hackers Experian's servers have been hacked – and now sensitive files on 15 million people who applied for T-Mobile US contracts have fallen into the wrong hands. In a letter published today, T-Mob boss John Legere said miscreants got hold of the database Experian uses when performing credit checks on folks enrolling for phone …
This post has been deleted by its author
None of those "credit monitoring agencies" hire any of the best or the brightest as far as the technical side of things.
They may be good at marketing, especially to other mega-corps. All it takes is booze, some gals with died hair and long legs. (And my apologies to women, maybe booze/stuff is enough.)
Not to mention the credit monitoring agency in question is owned by Experian, AKA the company that was compromised in the first place! Plus, from what I hear, you have to fork over a CC number for the "free" service and canceling at the end of the free period is a pain in the rump to do. It's almost like they're letting themselves be compromised as a way to drum up credit monitoring business. Talk about a conflict of interest.
So the hackers got in and ransacked "only" the servers with T-Mobile's customer's data?
I call BS on this, my guess is they lost a lot more data than they will admit.
But wait... they offer to sign you up for their own credit monitoring service.... because you can really trust them to be secure....
I told T-Mobile I specifically didn't want to give them my social security number because of this possibility and they told me they couldn't give me service if I didn't cough up the information, but that the information was not going anywhere else...... Time to have fun being really unpleasant to their customer service department.
The big Experian campus in Dallas is a huge complex, but interestingly no signs or placards on the building saying who is there... of course being on Experian Parkway kind of gives it away..
Not necessarily. While obviously their security has failed in this case, there is no reason to believe they would lump everything into one database, or even use the same systems shared across multiple client accounts. It's likely, in fact, that when they won the contract with T-Mobile to handle their credit checks, T-Mobile would have required them to keep their data completely separate from their other clients.
No need to jump on the conspiracy theory train at this time. If the breach is wider, it will come out sooner or later. If Experian doesn't stay ahead of the game, they know it will cost them dearly.
If Experian doesn't stay ahead of the game, they know it will cost them dearly.
If they know that, why was their security so poor as to let sensitive data like this get hacked?
I say that Experian don't really care. Yes, there's probably a lot of good practice going on there, but when your sole job is handling sensitive data that's not enough. If that's your day job, you need to be bullet proof. Mind you, the turds at a UK mobile retailer (an incompetent division of Dixons Carphone) recently managed to achieve the same outcome without obvious assistance from Experian.
Unfortunately (for the UK at least) the penalties for data protection breaches are minimal, because all of the regulation is designed around the assumption that data protection is only about stopping spam marketing.
It may not be the same database, but I'm betting they used the same service accounts across systems or the same servers for different customers. Unless there is an air gap the systems of others are always going to be reachable somehow (flaws in VM engine/routers/etc)
He's furious with them because they got hacked and the miscreants ransacked his DB's that they had access to. Oh.. and his DBs were unencrypted.<facepalm>
I think he needs to have his company's security practices re-examined:
1) Perhaps, the miscreants couldn't get Experion's because their DBs were encrypted so they went after the low hanging fruit?
2) And why wasn't the T-Mobile DB cleaned up after the credit checks were run? That would ensure minimal customer exposure to attack?
"And why wasn't the T-Mobile DB cleaned up after the credit checks were run? That would ensure minimal customer exposure to attack?"
Exactly this. Or are they trying to tell us that they handled nearly a million applications a day (the breach is said to have run for about 16 days and there were 15 million records stolen).
"And why wasn't the T-Mobile DB cleaned up after the credit checks were run? That would ensure minimal customer exposure to attack?"
Because regardless of whether the applicant is approved for a phone contract, their application is valuable information that you can sell to other marketers. - check the small print when you apply.
It should be illegal to sell or give away customer information. I'm sick of being the product.
Opting out from every company that wants to sell our personal data is completely unreasonable. It just needs to be illegal with criminal penalties for the management that implements such policies.
<blockquote>
He's furious with them because they got hacked and the miscreants ransacked his DB's that they had access to. Oh.. and his DBs were unencrypted.<facepalm>
I think he needs to have his company's security practices re-examined:
1) Perhaps, the miscreants couldn't get Experion's because their DBs were encrypted so they went after the low hanging fruit?
2) And why wasn't the T-Mobile DB cleaned up after the credit checks were run? That would ensure minimal customer exposure to attack?
</blockquote>
easy to answer.. HE didn't have unencrypted DB's it says clearly that TMobile's own Data on their own network was safe and secure.
It's Experion who run the service FOR AND ON BEHALF of TMobile.
read and comprehend!
The security policies that need examined are Experions!
Don't worry, it was all a big misunderstanding.
Experian thought they could sell T-Mobile data to anyone without asking permission. Their lawyers have just noticed this and to protect themselves from lawsuits/class action etc. they claim they were 'hacked'. All your private data will obviously be used for spam (email and postal) - by the original purchasers. So no worries Legere, it's all sorted now :-)
That swiped information was collected from people between September 1, 2013 and September 16, 2015, one day after Experian said it discovered the network intrusion.
It took them 2 years to realise someone had access and it took one day to fix the problem. My fishy-o-meter is tingling.
Edit: btw there is no plaice for jokes about this
If it was this quick to fix, chances were it was an old user account that had never been removed, or some other abuse of misconfiguration of permissions/accounts. I also think it's highly unlikely it just pertains to T-Mobile customers, but given that the news originated from T-Mobile, who for liability reasons cannot discuss any other parties.
ROTFLMAO - of yes there is - what makes you think that this isn't happening on your other accounts? Of course the providers will deny it (Well, you'd expect them to say that wouldn't you) but the simple fact is that the ONLY safe assumption is that all your data out there is compromised.
We hear this time and time again - it's just a data breach, it's been fixed, the guilty parties will be ... well, maybe spanked if we can find them but most likely they will get away with it.
Nope, I'm not trolling this - I'm simply being realistic. The only way to deal with these people is to treat them (and their claims of data security) as a joke - because it's absolutely clear that unless you are worth money to them, they don't give a monkeys about you. "Two years free credit reporting" - ha ha ha ha ... they will just sign you up and sell your data to someone else - Experion will make money on this breach in the long run.
... and what Legere would only describe as "additional information" used for credit checks.
Never mind the breach and all the trouble it causes their customers, but it would be really interesting to see what kind of "additional information" they gather for credit checks.
Well then,Sadly, let the lawsuits begin! And to give "free id protection" from their own service? There is no penalty to the idiots. I would think an alternative service be offered to those who say screw you. And I would demand ALL my personal information be removed from their servers,forthwith too. Just in case someone else has a crack at them.
And if I'm not mistaken, I think these bozos have Been hacked before,and or been involved in some other controversies.
Given the tiny amounts of information available to us I suspect Experian hosted a database of T-Mobile data and opened up an API/web service to allow external access to that data. So then T-Mobile could get at that data whenever they wanted. Experian's other databases would be secure because the web service didn't have access to them. Experian employed their best people to set up the web service so that when you ask it for information about an applicant you have to transpose the letters of the applicants name, so that A becomes B and B becomes C. Somehow a Chinese maths genius broke that code.
rating services via Experian and other gobsnackers. And they'll need all your vitals to do their credit analysis. Altho this analysis flows via pipes into China, Russia, Israel and other technologically advanced countries. No sense piping it to the USofA since we're so brain-focked. Sad!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
