As a result of a breach at credit-rating provider Experian, some 15 million T-Mobile USA subscribers are now at far greater risk of phishing attacks, telephone scams and fraud schemes, warns data security specialist Mark James (see Experian Hack Slams T-Mobile Customers).
Experian says it traced the data breach to a small number of intrusions into its network in September, which allowed a hacker to steal two years' worth of records, including data relating to T-Mobile subscribers who required a credit check for service or device financing. After learning of the breach, T-Mobile CEO John Legere says he is "incredibly angry" and will be instituting "a thorough review of our relationship with Experian."
But one takeaway from this breach is that even though it was the fault of a third party - no matter the amount of due diligence, contractual agreements or security reviews that were in place - T-Mobile's reputation is still likely to take a hit, says U.K.-based James, who works for Slovakian security software firm ESET. "This is an interesting case ... because it wasn't actually T-Mobile that suffered the breach. But ultimately they're going to take the shunt from the public."
Another lesson to be learned is that despite a company's best efforts, any third parties that touch their data can - and increasingly, it seems, will - be breached. "You know, 15 million - that's a lot of data to go missing. And of course the problem is, certainly from T-Mobile's point of view, they expect their data to be looked after, they expect it to be managed in a professional way, and sadly, it's gone awry in this case," James says. "It's an interesting question of, 'What more could they do to protect it?'"
Attacks Get Personalized
T-Mobile says the stolen data does not include payment card information. But James says the type of information stolen via this attack is being actively used by criminals to help craft spam and phishing emails that contain just enough real information - perhaps a user's first and last name, plus their address, birthdate, Social Security or driver's license number - to make users trust the message enough to click a follow-on link and try to find out more.
Unfortunately, it's not clear how to now offer meaningful protection to consumers who are at much greater risk from these types of attacks. "What can we offer these people?" James asks. At the moment, the norm is an apology, plus two or three years of identity theft monitoring, he says. "Is it enough? I don't personally think so. I don't think we put enough value on our data."
In this interview with Information Security Media Group, James also discusses:
- How attackers are using even small amounts of stolen PII to personalize attacks.
- When and how to use encryption to protect consumers' personal information, and the top ways in which organizations use encryption incorrectly.
- Whether stronger measures - such as higher fines for breached organizations - might be required to battle the ongoing data-breach epidemic.
James is a security specialist for ESET UK. He has worked at the company since 1999 and prior to his role as security specialist, James was the technical team leader, managing the ESET help desk team that offers technical support to customers. He has been working in the IT industry for 25 years and has held many roles, covering such domains as network management, infrastructure systems design and integration.