Friday, 2. October 2015

15 Million T-Mobile Users Compromised – What it Means for You

Info SnippetIf you’re a T-Mobile customer and you underwent a credit check for service or device financing from September 1, 2013 through September 16, 2015, you may be affected by the latest large-scale data breach. If you are, you’re not alone: reports indicate up to 15 million people may be affected.

In this most recent incident, the attack wasn’t against T-Mobile. Instead, it was against Experian who processes T-Mobile’s credit applications. This data breach is another example of a company being affected by one of its vendors.


This is similar to the Heartland Payment Systems breach in 2009 and shows how companies responsible for processing financial information continue to be a weak link in the chain.

Attackers were able to get critical customer information including:

•  Name
•  Address
•  Birth date
•  Social Security Number
•  ID number (i.e. a driver’s license or passport number)

T-Mobile has said the Social Security Numbers and ID numbers were encrypted. However, they have also indicated that, according to Experian, the encryption may also have been compromised. (Experian has not said that information was encrypted, nor that the encryption was compromised).

Both T-Mobile and Experian have indicated that attackers accessed a server to steal the information. This is all the detail T-Mobile and Experian have provided so far.

However, while they’ve not said the exact cause of the breach, we can use this information to make some informed suppositions:

The Data Breach Likely Occurred Due to a Hacking (APT-type) Incident: Using the Bayesian analysis from our recent paper analyzing the past ten years’ data breaches in the U.S., “Follow the Data: Dissecting Data Breaches and Debunking Myths,” we can theorize that this was most likely due to a hacking or malware incident. The loss of personally identifiable information (PII) in this incident is consistent with these kinds of breaches – it’s the most common type of data lost in retail breaches of this kind.
The Attack Most Likely Involved the Compromise of Administrative Credentials: In our analysis, our researcher, Numaan Huq, notes there is a 70 percent chance PII information will be taken when credentials are compromised. With cybercriminals potentially able to bypass encrypted records, this also implies the records were accessed using credentials that had permission to access the information in an unencrypted form.

In short, this looks like a classic APT-style attack.

To T-Mobile and Experian’s credit, the data breach was quickly discovered and addressed, and their notification to affected customers is one of the fastest we’ve seen yet (within two weeks of the event). Additionally, both T-Mobile and Experian have already provided information on their websites.

If you’re affected by this incident, you should sign up right away for the two years of free credit monitoring currently being offered.

Furthermore, this incident underscores the necessity for both companies and individuals alike to share the cybersecurity responsibility. It is incumbent upon organizations like Experian to invest in breach detection solutions such as Trend Micro Deep Discovery to protect their customer’s data. Individuals should also obtain real-time credit monitoring to better protect themselves from these situations.

As we indicated in our data breach report, these events have become much more common since 2009. And while it’s been a while since we’ve had a retail data breach of this size and scope, this is a reminder that the problem hasn’t gone away and isn’t likely to go away anytime soon.

Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.