Millions of TMobile customers exposed in Experian breach
Millions of T-Mobile customers exposed in Experian breach Ming Hu Abhay Kshirsagar Ariana Levinson Victoria A. Johnson Jianhui Chen Binu Anna Eapen
Overview Experian is a global information services company, it provides data and analytical tools to assist clients in managing consumer credit risk. T-Mobile is a major wireless network operator, it provides wireless and data services in the United States. T-Mobile hired Experian to process it’s credit applications Experian was allowed to host related data It’s an outsourcing relationship between T-Mobile and Experian
What happened ➢ Event reported: Sept. 15, 2015: An unauthorized party accessed T-Mobile data housed in an Experian server. ➢ Data at risk: Records containing name, address, Social Security number, date of birth, identification number (driver’s license, military ID, or passport number) and additional information used in T-Mobile's credit assessment of current customers and consumers who applied for T-Mobile USA postpaid services from 1 st September 2013 through Sept 16, 2015 were accessed. ➢ Data not lost : Payment card/banking information, Experian’s customer database was not accessed.
What happened(continuation) ➢ Steps taken by Experian: ○ Ensuring web application firewalls are working as intended ○ Enhancing security of encryption keys ○ Limiting authorized access to the server ○ Engaging U. S. and international law enforcement and cyber crime authorities ○ Increased monitoring of the affected servers and associated systems ○ Notifying the affected customers and offering free credit monitoring for 2 years and identifying resolution services as long as the customer needs ➢ Data Misuse: There is no evidence at this time that the data has been used inappropriately.
How it happened ➢ T-Mobile and Experian both acknowledged that encryption may have cracked by intruders. ➢ It has not been confirmed as to what encryption was used. ➢ Due to the intruder's ability to break into the Experian systems designed for keeping information encrypted and safe, is the reason they were able to steal encrypted data.
Impact T-Mobile USA’s consumer unit wasn’t hit. Experian, a vendor who processed credit applications for T-Mobile was hit. Customers: ➢ Individuals who applied for T-Mobile services from September 1, 2013 to September 16, 2015 ➢ 15 million people hit by the breach ➢ PII Risks: Identity Theft, Utility Fraud, Tax Fraud, Medical Fraud T-Mobile: Legal: Six lawsuits filed against T-Mobile and Experian accusing companies of negligence and violations of consumer protection laws, claim the stolen data is already appearing for sale in corners of the Internet known as the dark web. Financial: Shares were down 1. 3%
Root cause analysis ➢ T-Mobile stored its customer data on third party vendor-- Experian As a research shows there is up to 63% of all data breaches is caused by a third party vendor. ➢ Vulnerabilities: ○ Vulnerabilities were identified in encryption algorithm used. ○ Possibly the encryption technology was not updated timely or needed more enhanced algorithms. ○ The web application firewall not working as intended. ➢ The ineffective detective control: The hacker could hack the existing controls in place and get up to 15 million customer information.
Controls to remediate security and lessons learned Experian ➢ Implement a vulnerability management tool (Qualys, Nessus, etc. ) Scan regularly and often. ➢ When updates or patches are pushed out, they should be applied within 30 days. ➢ Limit the number of people with physical and logical access to the servers. ➢ Carefully test all changes, patches, and configurations before implementation in Production, to ensure they are not unintentionally undermining the established security controls. ➢ ALL Personally Identifiable Information (PII) i. e. Name, Do. B, SSN, Addresses, Phone #s, etc. should be strongly encrypted within the systems they are stored in. Should a breach occur and data stolen, that data should not be readable. T-Mobile ➢ Caught between a rock and a hard place - Credit checks and a limited marketplace
Thank you Q&A
- Slides: 9