02
Oct 15

Experian Breach Affects 15 Million Consumers

Kicking off National Cybersecurity Awareness Month with a bang, credit bureau and consumer data broker Experian North America disclosed Thursday that a breach of its computer systems exposed approximately 15 million Social Security numbers and other data on people who applied for financing from wireless provider T-Mobile USA Inc.

experianExperian said the compromise of an internal server exposed names, dates of birth, addresses, Social Security numbers and/or drivers’ license numbers, as well as additional information used in T-Mobile’s own credit assessment. The Costa Mesa, Calif.-based data broker stressed that no payment card or banking details were stolen, and that the intruders never touched its consumer credit database.

Based on the wording of Experian’s public statement, many publications have reported that the breach lasted for two years from Sept. 1, 2013 to Sept. 16, 2015. But according to Experian spokesperson Susan Henson, the forensic investigation is ongoing, and it remains unclear at this point the exact date that the intruders broke into Experian’s server.

Henson told KrebsOnSecurity that Experian detected the breach on Sept. 15, 2015, and confirmed the theft of a single file containing the T-Mobile data on Sept. 22, 2015.

T-Mobile CEO John Legere blasted Experian in a statement posted to T-Mobile’s site. “Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” Legere wrote.

WHAT YOU CAN DO

Experian said it will be notifying affected consumers by snail mail, and that it will be offering affected consumers free credit monitoring through its “Protect MyID” service. Take them up on this offer if you want , but I would strongly encourage anyone affected by this breach to instead place a security freeze on their credit files at Experian and at the other big three credit bureaus, including Equifax, Trans Union and Innovis.

Experian’s offer to sign victims up for its credit monitoring service to address a breach of its own making is pretty rich. Moreover, credit monitoring services aren’t really built to prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score.

If after ordering a free copy of your credit report at annualcreditreport.com you find unauthorized activity on your credit file, by all means take advantage of the credit monitoring service, which should assist you in removing those inquiries from your credit file and restoring your credit score if it was dinged in the process.

But as I explain at length in my story How I Learned to Stop Worrying and Embrace the Security Freeze, credit monitoring services aren’t really built to stop thieves from opening new lines of credit in your name.

If you wish to block thieves from using your personal information to obtain new credit in your name, freeze your credit file with the major bureaus. For more on how to do that and for my own personal experience with placing a freeze, see this piece.

I will be taking a much closer look at Experian’s security (or lack thereof) in the coming days, and my guess is lawmakers on Capitol Hill will be following suit. This is hardly first time lax security at Experian has exposed millions of consumer records. Earlier this year, a Vietnamese man named Hieu Minh Ngo was sentenced to 13 years in prison for running an online identity theft service that pulled consumer data directly from an Experian subsidiary. Experian is now fighting off a class-action lawsuit over the incident.

During the time that ID theft service was in operation, customers of Ngo’s service had access to more than 200 million consumer records. Experian didn’t detect Ngo’s activity until it was notified by federal investigators that Ngo was an ID thief posing as a private investigator based in the United States. The data broker failed to detect the anomalous activity even though Ngo’s monthly payments for consumer data lookups his hundreds of customers conducted each month came via wire transfers from a bank in Singapore.

Tags: , , , , , ,

74 comments

  1. Aprox 15mil of those “Somewhere” begging to be used for fake tax refunds, since it has been for 2years I’m gonna assume it’s to be found somewhere in a sauce..
    After reading this “what van you do”, aren’t they a little late?

  2. terry the censor

    So why do people want to get rid of the paper ballot?

    • Because it makes the shortage of adequate polling facilities in disadvantaged neighborhoods less obvious.

  3. Data loss will continue until a) it costs ($) more to remedy each compromise than to fix the security or b) punishment is personal (CEO/CIO goes to jail ). Everything else is irrelevant. Publish shaming is just a dollar loss in the end, in which case — see option (a). Laws can make that cost go up, but the fines need to be significant dollars so that fixing the issues before it happens is the only option that can be considered.

    • G Hoffman, I think you are looking at this wrong.

      The problem is that pieces of data are being used to identify a particular human.

      Secret pieces of data is an insecure method of authentication, fix that and this ID theft problem goes away.

      Obtaining credit, filing or getting copies of taxes and other sensitive things NEED two factor authentication and three factor auth would be even better.

      • I’m not sure what you’re getting at here. All authentication relies on secrets. Two factor authentication just increases the amount of secrets (I.E. You require the secret password, and the secret SIM card number/email address/whatever).

  4. so what happens when you sign up at each credit bureau to place a freeze on your file and then those databases are breached? I think the next step in the advance of this type of crime is not simply stealing this data, but subverting the freeze system entirely. scary thought, but there would be an awful lot of money to be made in pulling that off

    • ChoppedBroccoli

      I was just thinking this last night. There is a very easy DOS an attacker can do here, and it doesn’t take a genius to cook it up. HINT – execute your security freeze IMMEDIATELY.

    • The point is, whatever is breached, if you place a security freeze on your credit, they won’t be able to use the data to open any accounts in your name, because when the bank/credit card company/whatever contact the credit bureaus to verify your credit, the report will be frozen.

      • Unless you release it for an amount of time you determine using your PIN. Temporarily unfreezing it is built in to the system.

  5. Still here Krebs

  6. Krebs likes to censor people, know the truth !

  7. “…Experian detected the breach on Sept. 15, 2015, and confirmed the theft of a single file containing the T-Mobile data on Sept. 22, 1015.”

    So you mean to tell me they detected the breach, then *a week later* the theft occurred? This is a joke, right? Or a typo? Well, 1015 does look like a typo, but if you mean 2015, oh, boy. Inside job?

    • What’s unclear about that? They detected a breach, and a week later were able to actually confirm that data was exfiltrated.

      • The year says 1015. Not 2015.

      • “Henson told KrebsOnSecurity that Experian detected the breach on Sept. 15, 2015, and confirmed the theft of a single file containing the T-Mobile data on Sept. 22, 2015.”
        I stumbled on this as well. The unclear part is that the structure suggests that the date is related to the most recent used action term.

        “…Experian detected the breach on Sept. 15, 2015, and on Sept. 22, 2015 confirmed the theft of a single file …”
        Much clearer I think. =) Yes, I’m pedantic.

        • Or: “On Sept. 15, 2015, Experian detected the breach, and on Sept. 22, 2015 they confirmed the theft …”

          Yes, it’s not completely clear in the original sentence structure, whether the dates refer to the breach/theft or refer to Experian’s detection/confirmation of the aforementioned. Grammatically, it could be read either way (or maybe even 4 different ways.)

          • The theft started in Sept. of 2013. They detected the intrusion on the 15th of this year. Even though the theft goes back to 2013, and they detected the breach on the 15th, they’ve discovered [albeit slowly] WHICH data was stolen, on the 22nd

            How exactly is that hard for any of you?

      • ChoppedBroccoli

        Hi Brian, I had a comment regarding security freezes and the fee schedule for people who are id theft victims vs breach victims that seems to have been deleted (perhaps because I linked to the equifax fee schedule?). Wondering if that happened by accident could it be added back? Cheers!

      • I misread it, perhaps. Did the theft occur a week later, or the confirmation occur a week later? If it was the theft, then they learned nothing from their discovery a week earlier and took no steps to tighten things up in the interim.

      • Brian,

        Was it only Tmobile Experian inquires that were hacked? Or was Experian housing data for Tmobile all all their inquires from other sources. A lot of subscribers on forums, in that time frame affected are responding that TransUnion pulled their credit inquiry. Which starts to make people think Experian was housing data for Tmoible.

        I called Tmobile, the rep said, your affected if you applied within those dates. TransUnion pulled my credit inquiry. Level 1 rep im sure are not savy on the situation.

        Would really like clarification if its only Experian inquires.

  8. T-mobile’s statement says that Experian’s encryption “may have been compromised”. Experian’s statement mentions nothing about encryption. Do you know if encryption was compromised and if so, what it was?

    • I’m sure it was “comprimised”. Translated: “Once the attackers were able to gain valid authentication credentials, data at rest encryption was rendered moot”. of course it was. This is why encrypting data at rest on enterprise storage systems is a waste of time. Nobody is walking out of the building with a SAN.

      • Backups. In order to be data protection compliant, and just for good backup practice, backups are stored off site. This obviously puts the disks out of your reach, and thus at risk. Encryption at rest prevents this data going walkies, even if the disks themselves do.

  9. I like the idea of freezing credit. How do I waive the fees in this case? File a police report against Experian for losing my private data?

    The fact that they failed to protect my private data seems ludicrous that I should have to pay upwards of $60 for piece of mind and some semblance of real, actual protection.

  10. High time that lawmakers take a close look at Experian – the credit reporting agency used by Social Security in setting up personal accounts!

    • I agree that there should be concern that the company they are using to validate identity for SS online account is the one being hacked.

  11. If you have personal information (DOB, SSN, maybe account numbers) on some company’s servers, and that company gets hacked, they’ll likely give you free credit monitoring, possibly through Experian. Then, suppose Experian gets hacked … who guards the guards?

    Where does it stop?

    It may not be too long before freezing your credit may not even work.

  12. Brian, I love and have used you security freeze advice. Security freeze is the best – assume you have been hacked. Also add dollar notifications to debit and credit cards so if someone steals those numbers you are notified.

  13. Security freezes started out with the (then three) credit bureaus dragging their feet and deliberately causing problems (for example, credit monitoring services didn’t work at first when credit files were frozen; now, *sometimes*, they do).
    And now there are FOUR “major credit bureaus”.
    It’s time for the legislation on credit freezes to be updated to enable consumers to go to a SINGLE place (might as well be annualcreditreport.com) to set up and manage freezes at all threeXX four (however many in future) credit bureaus. It’s completely stupid that we have to manually manage this process at threeXXX now four different places (each of which can charge a freeze-lift fee, something else they should no longer be permitted to do).

  14. You actually need to “freeze/extended fraud alert” a lot more than just the big 3/4. You need to touch ChexSystems, Clarity Service, FactorTrust, LexisNexis, SageStream, and more. A lot of the payday loan companies skirt the big ones and go through lesser known ones and specialty bureaus and still get the loans using your name and SSN, etc. This is a good place to start: http://files.consumerfinance.gov/f/201501_cfpb_list-consumer-reporting-agencies.pdf

  15. I’m wondering if some department head got his project canceled?
    It was late last week, early this, that T-Mobile announced downsizing, so the rumors would have gone out, one to three months ahead.
    How long ago did t and exp go sole source? Was security set then or just by the data center? Or did it want their info? A bad query? If I was a black hacker, in their system, why would I go after just one file? Google cloud would be full and I’d be putting the overrun where ever there was space. Encry

  16. I would SO much appreciate seeing an article (by you or someone) that points out ALL the details related to doing a full credit freeze. I’ve considered doing that but I’m concerned about unintended consequences that I might not currently know about. One example, currently I receive my Trans Union and Equifax FICO scores free each month from two different credit cards I use. I asked those credit card companies if I would still be able to receive those same FICO scores if I froze my credit with all the credit agencies. The answers were ambiguous. Do you know of any such list of pro’s and con’s that might include such details??? thanks

    • A freeze won’t prevent you from being able to see your credit score.

    • I have experienced zero bad consequences from freezing my credit file 4 months ago.

      My car/home owners insurance agent told me they periodically query credit scores to help determine rates, but said that if I see any rate hikes or anything like that to let her know and she would take care of it.

  17. Clearly, not a single company seem to care about how they handle consumer personal and financial information, given the daily breaches. All these businesses care about is having the power to control us by way of price manipulations, fees, requirements, denials of credit and whatever other whim the can pull off their hats. Who cares what consumer info got snatched, definitely not these credit police supreme court. Now, also ScottTrade got hit. They invest cero dollars in the active fight against these system intrusions, why? Because it doesn’t affect the big office boys, they keep on getting richer at everyone’s expense.

  18. >place a security freeze on their credit files at Experian and at the other big three credit bureaus, including Equifax, Trans Union and Innovis

    Is Innovis a legitimate consumer reporting agency? There seems to be a lack of information on Innovis. ( https://www.innovis.com )

    • I can’t answer that question, but it was one of the companies that I froze. And that one was free.

  19. I know we don’t have details on the method of the compromise, and a security freeze on your credit is certainly a good idea, but from the sound of it a security freeze would have been irrelevant in this case (though a good step now for compromised people).

    Note that the compromised customers were from a specific company applying for financing. This would suggest that the compromised point was either when the application came in (which would have had all the socials/personal data and so forth) or when the credit report response went out. They say their consumer credit database was not compromised and they wouldn’t be duplicating consumer data for every business that uses them for credit, so the problem was probably on point of entry or exit.

    Also, regarding credit freezes, you should know that the financial institution ordering the report does still get your full credit report when you have a freeze, it just has a big flag on it that your credit is frozen with the procedure to resolve. The financial institution can be fined heavily if they deliberately extend credit after getting such a report and not going through specific verification steps, but the freeze in no way prevents the disclosure of your credit data to whatever financial institution the ID thief is trying to use your data at.

    • Sorry, I was thinking about putting alerts on your credit report, not freezes. Freezes if properly done should keep the report from being sent to the requesting institution.

      Even so, if the breach here was at the point where Experian was receiving the application data from T Mobile, even a freeze would not have stopped the report request with personal data on it. Big businesses like T Mobile that have high volume underwriting will often have custom-built data feeds that quickly spit the report data into their system without each underwriter going separately to Experian’s site to pull credit, it’s likely in the setup of one of these that the problem occurred (apparently on Experian’s side).

  20. So Experian looses my data so they can sell me ProtectMyID which is an Experian service. Isn’t that a conflict of interest? They should offer another service.

  21. Our Do Nothing CongrAsses need to pass laws mandating Life Sentences without Parole for the so-called “Black” hackers for hacking into files containing personal data of US Citizens and lawful visitors and residents.
    Next, they must pass laws forbidding companies from requiring your Social Security Number for any reason. Penalty on that one should be loss of corporate charter, i.e. right to do business in USA.
    Then, they need to think and determine what else might be needed and pass other laws protecting us.

  22. One of the most disturbing aspects of this breach is the amount of time it took to detect that the company had been breached. This not a unique situation, prevention security solutions are clearly not providing a reliable solution for stopping breaches and monitoring solutions take time and are prone to a volume of alerts that security teams are not equipped to address. It’s time for organizations to take a different approach to get a different result. Deception-based technology that detects inside the network threats is available today and could have been used to in real-time detect the presence of the attacker. Deception technology will lure attackers away from the real data during attacks will provide alerts immediately to security response teams, eliminating the time the attackers need to organize and mount their attacks.

  23. Credit bureaus need to be abolished. They are useless for consumers

  24. The Federal Consumer Financial Protection Bureau should be coordinating with the 50 state legislatures and Attornies General (and with DC and PR and Guam and …) to make the laws concerning the handling and protection of consumer credit data *uniform* across all jurisdictions. The ability to freeze and unfreeze one’s credit file, or place or remove a fraud alert should be *free* of all fees and charges, as it already is in South Carolina. Nor should there be any requirement to first be a victim of identity theft.
    It is preposterous that the credit reporting agencies can charge for and profit from the mismanagement of this data. If you are unhappy with the fees the credit reporting agencies can charge in your state, write to or call your representatives and demand action.

  25. Brian – As of later today, Experian told me that the hack occurred in mid-September over a few days: http://www.databreaches.net/no-the-experian-hack-did-not-go-on-for-over-two-years-it-happened-last-month/

    I look forward to your investigation of Experian’s security. If you need my list of 109 credit report dbase breaches where client login credentials were misused, let me know. That 109 doesn’t include the Court Ventures mess, nor about 20 other breaches of their credit report database that I’ve compiled.

    • Well, I wouldn’t read what they told you as definitive of finding out when they were actually breached. All they talk about is the discovery and remediation of the breach. They haven’t said “the attackers broke in on Date X”. In fact, Henson’s response to me was that the forensic investigation is ongoing, and they are parsing their words carefully.

  26. I would agree completely that credit agencies need to be abolished. Consumer credit has become a financial plague across the country (if need the world). The people running these companies are NOT concerned about security or privacy at all. They ARE the quintessential example of “the rich getting richer on the backs of the poor”. Consumer debt is an extremely big problem across the board (I am no exception).

    Freezing credit sounds good on the surface but does absolutely NO good when the bad guys already have access to the system to unfreeze it. The agency would not be able to tell the difference between the good guys and the bad guys. That’s part of why these kinds of problems happen in the first place.

    You can go get their credit monitoring service if you want. It is a complete waste of time and becomes an added “fee” placed on you for trusting them to begin with. I see NO value in using a service that already admits to being compromised BEFORE signing up.

    Who really knows when the bad guys first had access? All we are given is a date that it was detected and then a date it was reported. The truth is that the bad guys have very likely had access to Experian for as long as healthcare.gov has been online. Getting access to T-mobile was likely just an added bonus.

    One thing is for certain though. There has already been enough data bases breached and enough websites hacked via enough insecure website practices and CEO/CIO/management neglect that nothing should be considered safe or trust worthy. One of the best things you can do is NOT……….don’t ask for more or sign up for more or agree to anything else. Take care of what you currently have and try not to worry about all those things that are completely out of your ability to control.

    • There is no way for the to possibly secure their stolen information while still selling it to every company that is asking for it. Their entire business model is conducive to fraud and ALWAYS WILL BE. There is no fix for it, their very premise was always shaky.

  27. Brian, with chip technology on most US cards now… are the same in-store scammers resorting to profiting from using credit profiles w/ fake ids for in-store credit now? Why two big credit data breaches in a row? Seems like a new trend, interested on your input…

  28. I have a S-Corp and applied for T-Mobile service ~ 11/2013 using my EIN (Tax ID). Would the notion of “freezing” make sense in my case? and would I really want to do this against my EIN and my SS#?

    • You should freeze your credit files with the four bureaus *period*.

      Whether or not a given incident resulted in your information being available, eventually, some other incident will, and the sooner you freeze your report the less useful that leaked data will be.

  29. Why are these crooks still in business? Once again Brian is recommending that we bargain with the crooks to freeze our stolen information they shouldn’t have in the first place.