Experian data breach exposes the supply chain security fustercluck


As T-Mobile data from the Experian data breach starts to go up for sale on the dark web, IT Security Thing explores what the IT security industry thinks of this debacle.

Experian bills itself as “the UK’s most trusted credit monitoring service” but, in the light of the data breach that has compromised the records of some 15 million T-Mobile (US) customers it might have to reconsider that description the other side of the pond.

The as yet unknown hacker, or hackers, managed to acquire the records of customers and applicants requiring a credit card check (successful or not) for service or device financing between the 1st of September 2013 and September 16th 2015. Just for the record, yes you did read that right.

To pour a little more accelerant into the flames, the breach was not revealed to customers until 1st October. Which makes another Experian strapline, this time from the Experian Data Breach Response Service service, seem equally irrelevant: “Respond, reassure and recover quickly in the event of a data breach.” Yeah right…

T-Mobile CEO, John Legere, is pretty angry and says the stolen data includes customer name, address and birth date as well as encrypted fields with Social Security number and ID number (which might be a driver’s license or passport), as well as additional information used in T-Mobile’s own credit assessment.

“Experian has determined that this encryption may have been compromised” Legere admits, going on to state that “I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian” as well as the usual stuff about assisting customers and taking security seriously of course. Legere also took the opportunity to assure customers that “neither T-Mobile’s systems nor network were part of this intrusion”. So that’s OK then!

Is Experian really so self-important that it thinks people should trust it when it comes to mopping up this mess?

Less OK, for many observers, is the fact that while that relationship review is made, T-Mobile has gone ahead and told customers impacted by the breach it can have a couple of years free credit monitoring and identity resolution service from, are you sitting down, the very company that allowed their data to be compromised in the first place.

Yep, T-Mobile says customers whose data was leaked by Experian can have Experian monitoring free of charge. There must be a funny quip on the trust issue here, but frankly I cannot think of it at the moment as I am too busy being angry at the pomposity of it all.

Is Experian really so self-important that it thinks people should trust it when it comes to mopping up this mess? Is T-Mobile really so self-important that it thinks people won’t see through this and determine its business as usual and Legere’s words are mealy-mouthed corporate ass-protection and nothing more?

I’m guessing, on the second point, that the T-Mobile ass has already felt the sting of customer kicking as it appears to backtracked a bit and is offering an alternative service, TransUnion CSID ID theft and credit monitoring, for those who just might not trust Experian to handle this.

Whatever, and whoever, those customers better act fast: the stolen data is already being advertised for sale on the dark web. Not just a teaser, mind, but your actual ‘fullz’ database.
If this, as looks likely, the real deal then that’s a whole lot of very valuable personal data that has just hit the criminal market. Here at IT Security Thing we are getting more than a little concerned at the sheer weight of personal data that is being moved around the dark web right now, and the length of time it is taking for companies that really should know better to spot that their networks have been breached in the first place.

What do we think here at IT Security Thing? Well, it just goes to reinforce our belief that your security posture can only be strengthened by an assumption that your network has been breached from the get go and implementing the necessary procedures to deal with that. Which, for us, means being able to spot ‘unusual’ behaviour and deal with it accordingly at the earliest opportunity (not two years down the breach road) and it also means taking a data-centric approach to security and that, in turn, means getting serious about things like encryption.

That, in this case, Experian seems to be suggesting the encryption in place may have been compromised is yet another catalyst for a round of head-shaking here at IT Security Thing HQ.
So what does the IT security industry think? Fred Kost, senior vice president at cloud control company HyTrust says the Experian reach “is a great example of the risks that arise when one organization’s data is in another’s control. This can happen with outsourcing arrangements or even the use of cloud-hosted data. If companies do not ask about, and require, details about the protection of their data — including (important!) the use of encryption, monitoring and enforcement of access policies, and key management — it’s not a question of ‘if’… they will find themselves in the same position as T-Mobile in the future.”

Jerome Segura, senior security researcher at Malwarebytes Labs, points out that “what’s perhaps most startling in this case is the fact that T-Mobile entrusted Experian, the credit bureau which has had several breaches of its own in the past.”

Sam Glines, CEO and co-founder of cyber intelligence outfit Norse reckons it’s yet another supply chain warning, saying “This incident highlights that while an enterprise can go to extraordinary lengths to implement a mature security program, it must also recognize that the security posture of its business partners and supply chain is equally important.”

Ryan Wilk, Director at fraud prediction and prevention specialists NuData Security warns that data breaches don’t occur in a vacuum. “The breach has already happened, but it’s still possible to prevent hackers from being able to use the data they steal in these incidents, rendering it completely useless to them and thus protecting victims of a data breach from further harm” he says, adding “with a comprehensive, passive behavior profiling system, suspicious activity can be immediately identified and blocked.”

Gavin Reid, VP of threat intelligence at network security experts Lancope, is painfully blunt in his opinion: “When you type “Experian” into Google, the suggested first result is “Experian data breach”, the next results are “Experian data breach 2014” and “Experian data breach 2013”. Experian has experienced 3 major hacks in as many years! If this isn’t a wake-up call to take action, I don’t know what is.”

And Philip Lieberman, CEO of privileged identity management company Lieberman Software insists that “the CEO’s role today must be as the commander and chief of cyber-defense, rather than simply complying with the minimal requirements of auditors. Many companies are being hit with these types of attacks and only the CEO can provide the leadership and investments necessary to mitigate these types of bad outcomes. We would strongly suggest that the CEO and Board of Directors re-evaluate their security vendor choices and internal processes going forward.”

Saying sorry after the event is not enough, nobody cares about apologetic whimperings from corporate mouthpieces anymore.

Richard Parris, CEO at secure identity and credential management business Intercede, thinks that telcos in particular need to sit up and take notice, and action, after the breach. “The news that 15 million T-Mobile customers have been affected by a data breach at Experian should be a wakeup call for all telcos. In an independent survey of 2,000 16-35 year old consumers (dubbed ‘Millennials’), it was revealed that only four percent of Millennials put complete trust in their telecommunications operators. 15 percent of respondents place no trust in their operator, 25 percent place ‘a little’, 37 percent place ‘some’, and just 19 percent place ‘a lot’. Given this, it is evident that the telecommunications industry has a lot of work to do in order to restore consumer faith. Protecting customers’ private data should be a top priority for any organisation. Failure to demonstrate that adequate safeguards are in place could result in customer churn to a competitor.”

I’ll leave the last word to Experian’s CEO in North America, Craig Boundy, who rather predictably stated: “we take privacy very seriously and we understand that this news is both stressful and frustrating. We sincerely apologize for the concern and stress that this event may cause. That is why we’re taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation.”

Actually, IT Security Thing can have the last word: saying sorry after the event is not enough, nobody cares about apologetic whimperings from corporate mouthpieces anymore. What we want, and demand, is a better security environment where the protection of customer data is taken more seriously in the organisation from the top down. Post-breach there is always lots being done to ensure this never happens again, what a shame lots isn’t done to ensure it doesn’t happen in the first place.

And just in case you’ve got this far wondering what a fustercluck is, then it is a polite way of saying clusterfuck. Yes, I did say it, and I mean it. I cannot think of another word that better describes the combination of undoubted security errors from all parties pre-breach and handling errors post-breach, to be frank. Sure, we don’t know exactly what happened yet, on the technical front, but we do know that Experian does not come to the table with a totally clean slate as far as breaches are concerned and we do know that both outsourcing to a third party with something of an apparent insecurity history and then advising customers impacted by the breach to use them to monitor for the consequences of it are not exactly going to win T-Mobile (US) any business brain of the year awards.

Image: Designed by Freepik