One of the biggest risks in business is in finding out whom you can trust. When Target was breached, the company found out that it shouldn’t have trusted its HVAC contractor. Now, T-Mobile is finding out that it shouldn’t have trusted its credit reporting bureau.
At first, the reports last week that T-Mobile customer data was stolen from Experian seemed to be a surprise. After all, credit bureaus are the repositories of some of the most personal, and most critical, data anywhere. But as it turned out, not only was Experian at fault, the company apparently leaks data at an alarming rate.
In fact, eWEEK’s Sean Michael Kerner revealed that Experian has had well over 100 recent data breaches, and that its security practices were sufficiently shoddy that hackers were able to steal information, despite the fact that it was supposedly encrypted. It’s no surprise that T-Mobile’s CEO John Legere expressed anger at the event. Unlike the results in most data breaches, the T-Mobile CEO also forced Experian to provide identity theft protection through ProtectMyID in addition to the usual credit monitoring.
Unfortunately, ProtectMyID is part of Experian; so there’s somewhat less certainty that your information is safe there than it might be if a third party had been brought in to help.
Meanwhile, Legere said in a blog post that T-Mobile is re-evaluating its relationship with Experian, a sign that its days with T-Mobile are numbered. But unfortunately, in this case it appears to be T-Mobile that’s bearing the brunt of the cost of recovery from the data breach, and to some extent, the damage to its reputation.
For its part, Experian issued the now-traditional press release in which the company tried to make it look as if somebody else was at fault while claiming (falsely) that the information hasn’t been misused. In reality, that T-Mobile data is already for sale on a number of hacker sites, and may have been available for much of the two years that the breach occurred.
Experian spokesman Michael Troncale told eWEEK in an email: “We have taken immediate steps to harden our environment. To ensure our security measures and practices stand up to the high standards to which we hold ourselves. As you know, Experian’s consumer credit database [consumer credit bureau] was not accessed in this incident, and no payment card or banking information was obtained.”
For T-Mobile customers, this means that they need to examine their credit reports as far back as September 2013. They should also go to the ProtectMyID link and see what they can do to get help, while also hoping that Experian doesn’t lose their data again
However, more needs to be done. Experian apparently has not benefitted from the lessons learned from its hundreds of breaches to clean up its act, and instead, is focusing on getting legislation passed to indemnify it against such lack of security.
Advocacy group Fight for the Future points to the blog databreaches.net for a chronicle of Experian’s sad security history. The group points to millions spent by Experian lobbying for legislation that would keep the company from having to improve its security. Fight for the Future CTO Jeff Lyon issued a press release calling for the resignation of Experian’s CEO—which, of course, isn’t going to happen.
If your company uses Experian to run credit checks, this is a good time to re-evaluate your use of that credit reporting company. While, apparently, Experian can offer its services at a competitive price, you have to ask yourself if that cost is worth it over the long run. Just ask T-Mobile how much it’s costing the company to recover from this breach, which almost certainly exceeds whatever they may have saved in reduced costs.
T-Mobile Caught Holding the Bag as Experian Loses Customer Data
Fortunately, T-Mobile has a CEO with a high profile who can make himself heard above the ambient noise on Twitter. But what about your company? How much would it cost you to get your customers back after Experian or some other partner abused your trust?
Then ask yourself how long it would take you to rebuild your reputation. Data breaches, regardless of the cause, can have a profound impact on companies, and the fact that it’s not their fault may not help much. So while you’re checking to see if you use Experian for anything, also think about some additional actions.
Check the contracts you have with other companies and make sure you have included their responsibility for protecting your data, and that you specify who gets to pay when they drop the ball.
Check with your legal team to make sure that you have the means in place to force your business partners to offer more than just basic protections for your customers if they get hurt in a breach caused by your business partner.
And finally, check to see if there’s any exposure regarding your business for the current Experian data breach. If there is, maybe it’s time to talk to that legal team of yours about finding ways to make sure you’ve taken every possible step to recover from Experian for any potential loss to your company.
The problem is that companies with a history of irresponsibility aren’t going to heed calls to do things like having their CEO resign. The only way they’ll change their ways is when it promises one of two things. The first is a significant hit on the bottom line. The second is jail time.
It’s not clear that Experian broke any criminal laws with its data breaches, which leaves out the jail time option. The only other thing you can do is hit their bottom line hard enough that they pay attention. If enough companies do that, perhaps they’ll pay attention to the need to act responsibly.