T-Mobile Customer Data Leaked By Experian... And Faulty Encryption Implementation
This week's big data leak comes from mobile phone provider T-Mobile, who has admitted that someone hacked into credit giant Experian and got a bunch of T-Mobile customer data. The good news? The personal data was encrypted. The bad news? Experian fucked up the encryption and so it doesn't matter:
As I've said before, I do worry about holding companies totally responsible for when they get hacked, because a determined adversary will hack into any company they want to eventually. That's just the nature of the game. But when the company appears to be totally incompetent to the point of being negligent, it seems reasonable to hold them responsible. I'm sure in the coming days we'll find out more details about how the "encryption was compromised" (and we'll also probably learn that it impacts many more people than originally claimed). But these new data breaches every week or so are starting to get ridiculous.
Permalink | Comments | Email This Story
We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver's license or passport number), and additional information used in T-Mobile's own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.I happen to be a T-Mobile customer, and I look forward to the usual bullshit response of a year's worth of credit monitoring and promises that this will never happen again. You know, until it does.
As I've said before, I do worry about holding companies totally responsible for when they get hacked, because a determined adversary will hack into any company they want to eventually. That's just the nature of the game. But when the company appears to be totally incompetent to the point of being negligent, it seems reasonable to hold them responsible. I'm sure in the coming days we'll find out more details about how the "encryption was compromised" (and we'll also probably learn that it impacts many more people than originally claimed). But these new data breaches every week or so are starting to get ridiculous.
Permalink | Comments | Email This Story