T-Mobile recently announced that a breach of a server at Experian, which processes T-Mobile’s credit applications, exposed the personal information of approximately 15 million people who applied for T-Mobile services between September 1, 2013 and September 16, 2015.
“Experian has taken full responsibility for the theft of data from its server,” T-Mobile stated in a FAQ.
The exposed data includes names, addresses and birthdates, as well as encrypted Social Security numbers and/or encrypted driver’s license or passport numbers. “Experian has determined that this encryption may have been compromised,” T-Mobile CEO John Legere wrote in an open letter to those affected.
“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” Legere added. “I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.”
All those affected are being offered two years of credit monitoring services from ProtectMyID.
“The information that was exposed could lead to an increased risk of identity theft,” Experian stated in a FAQ. Although we have no evidence suggesting your personal information has been misused, we take our obligation to help you protect your information very seriously, and deeply regret that this has happened. We encourage all eligible consumers to enroll in the complimentary identity resolution services we have offered.”
Fasoo vice president Ron Arden told eSecurity Planet by email that the breach should be a wakeup call for any business that provides third parties with access to sensitive customer data. “T-Mobile is ultimately responsible for protecting all sensitive data throughout its supply chain and has to rely on the security systems of its downstream partners to protect information,” he said. “Unless they did a security audit on those partners and are satisfied they will maintain sensitive data in a safe way, they are vulnerable. The service provider should apply strong encryption to the data that is controlled through persistent, dynamic security policies that can restrict its use to only authorized people.”
“This incident highlights that while an enterprise can go to extraordinary lengths to implement a mature security program, it must also recognize that the security posture of its business partners and supply chain is equally important,” Norse CEO and co-founder Sam Glines added.
A recent eSecurity Planet article examined the challenges of ensuring security when sharing sensitive data with third-party vendors.