NEWS ANALYSIS: The only thing T-Mobile did wrong in last week's data breach was to choose Experian for its credit reporting.
One of the biggest risks in business is in finding out whom you can trust. When Target was breached, the company found out that it shouldn't have trusted its HVAC contractor. Now, T-Mobile is finding out that it shouldn't have trusted its credit reporting bureau.
At first, the reports last week that T-Mobile customer data was stolen from Experian seemed to be a surprise. After all, credit bureaus are the repositories of some of the most personal, and most critical, data anywhere. But as it turned out
, not only was Experian at fault, the company apparently leaks data at an alarming rate.
In fact, eWEEK's
Sean Michael Kerner revealed that Experian has had well over 100 recent data breaches, and that its security practices were sufficiently shoddy that hackers were able to steal information, despite the fact that it was supposedly encrypted. It's no surprise that T-Mobile's CEO John Legere expressed anger at the event. Unlike the results in most data breaches, the T-Mobile CEO also forced Experian to provide identity theft protection
through ProtectMyID in addition to the usual credit monitoring.
Unfortunately, ProtectMyID is part of Experian; so there's somewhat less certainty that your information is safe there than it might be if a third party had been brought in to help.
Meanwhile, Legere said in a blog post
that T-Mobile is re-evaluating its relationship with Experian, a sign that its days with T-Mobile are numbered. But unfortunately, in this case it appears to be T-Mobile that's bearing the brunt of the cost of recovery from the data breach, and to some extent, the damage to its reputation.
For its part, Experian issued the now-traditional press release in which the company tried to make it look as if somebody else was at fault while claiming (falsely) that the information hasn't been misused. In reality, that T-Mobile data is already for sale on a number of hacker sites, and may have been available for much of the two years that the breach occurred.
Experian spokesman Michael Troncale told eWEEK
in an email: "We have taken immediate steps to harden our environment. To ensure our security measures and practices stand up to the high standards to which we hold ourselves. As you know, Experian’s consumer credit database [consumer credit bureau] was not accessed in this incident, and no payment card or banking information was obtained."
For T-Mobile customers, this means that they need to examine their credit reports as far back as September 2013. They should also go to the ProtectMyID link
and see what they can do to get help, while also hoping that Experian doesn't lose their data again
However, more needs to be done. Experian apparently has not benefitted from the lessons learned from its hundreds of breaches to clean up its act, and instead, is focusing on getting legislation passed to indemnify it against such lack of security.
Advocacy group Fight for the Future
points to the blog databreaches.net
for a chronicle of Experian's sad security history. The group points to millions spent by Experian lobbying for legislation that would keep the company from having to improve its security. Fight for the Future CTO Jeff Lyon issued a press release calling for the resignation of Experian's CEO—which, of course, isn't going to happen.
If your company uses Experian to run credit checks, this is a good time to re-evaluate your use of that credit reporting company. While, apparently, Experian can offer its services at a competitive price, you have to ask yourself if that cost is worth it over the long run. Just ask T-Mobile how much it's costing the company to recover from this breach, which almost certainly exceeds whatever they may have saved in reduced costs.