On October 1st T-Mobile released a statement revealing approximately 15 million existing and potential customers had their personal identification data stolen. The hack was not against T-Mobile itself but against Experian, the company that runs credit verification for postpaid accounts for T-Mobile.
What Was Stolen?
According to T-Mobile, anyone who submitted a credit application between September 1st, 2013 and September 16th 2015 was affected. No credit card or payment information was stolen but the hack exposed applicants’ name, address, date of birth, Social Security number and identification numbers such as a driver’s license or military ID.
How Can Criminals Use This Information?
Criminals can use this information for identity theft, opening fraudulent lines of credit, submitting phony tax return requests or other financial fraud. While it’s good that victims won’t have to worry about someone emptying their bank accounts, identification data such as their SSN or drivers’ license number is much harder to change than a bank password. Within a couple of days, other cyber security firms confirmed data sets stolen from Experian’s server were for sale on the dark web.
What Caused the Breach?
Most consumers know Experian as one of the three major credit processing companies, but they are also involved in data brokering and analytics. They have moved into these markets by acquiring smaller companies, but have not always done due diligence on the security of these companies or their clients. Experian has had issues with data breaches from acquired companies in the past, including an unrelated company that hired a vendor that sold personal data directly to identity thieves.
What Can I Do If My Information Was Exposed?
If your data was exposed, it’s important to take steps to prevent identity thieves from opening new accounts using your information. The average loss in identity theft cases is approximately 10 times higher than credit card or bank fraud. The companies involved have offered free credit monitoring for two years, but it’s a bit like closing the barn door after the horse has escaped. If you are not yet a victim of identity theft, you can place a credit freeze or short-term fraud alert on your account with the three nationwide credit reporting agencies. If you are a victim, you can place a long-term fraud alert on your account that will last for seven years. Contact the credit bureaus to place these blocks.
- Equifax: 800-349-9960
- Experian: 888-397-3742
- TransUnion: 888-909-8872
What Can I Take From This For My Business?
It’s not enough to only worry about your own company’s network security. T-Mobile was not directly responsible for the breach and will likely drop Experian as their credit check vendor, but they are now the target of no less than five class action lawsuits. The hackers responsible for the 2013 hack on the giant retailer Target gained initial entry through a remote access point used by an HVAC installer at one store. Ask potential vendors or business partners about their security, and what protections they have in place if there is a breach. Remember, if they are lax on security, their problem with hackers could swiftly become your problem. Stay safe.