T-Mobile & Experian: The Fallout From Big Brand Breaches

Update: Class-action lawsuits for Experian are increasing, according to The Hill. Experian, who released half-year financials yesterday, was quoted as saying: “It is currently not possible to predict the scope and effect on the Group of these various regulatory and government investigations and legal actions, including their timing and scale.”

The T-Mobile breach of 15 million customers via its third-party partner Experian is taking an unfortunate toll on both organizations as negative perception is flowing mightily right now. Crisis communications are having to be applied all over between a credit bureau and a large mobile carrier partner that likely represents a nice credit-check business for Experian.

News of the breach happened October 1. Today, there are at least five class-action lawsuits against both companies, and a sixth suit that names Experian alone in less than a week, according to Bloomberg.

In the first few days after the news of the T-Mobile/Experian hack, there has already been public outcry for the head of Experian to be fired. There are public statements from T-Mobile’s CEO about being “incredibly angry” and will be looking to end its partnership with Experian.

State attorney generals in Massachusetts, Connecticut, and Illinois have announced they will be probing the breach. More state investigations are likely to follow.

The Problem With Using SSNs

There are 15 million customers with private information in the public sphere, the most damaging being social security numbers. Not worried about your social security number? You should be. In 2011 alone, the U.S. Internal Revenue Service estimated it issued over $3.5 billion in possibly fraudulent tax refunds.

Some security experts will tell you the use of social security numbers as individual identifiers in digital formats should end. They were never intended to be used in this way, and they are incredibly easy to use in fraudulent activity. What is the right answer? Some countries have moved toward biometrics, but they have their own set of issues say privacy advocates.

For the time being, however, consumers, companies, and lawmakers will continue to point fingers as the lawsuits mount and the damage control experts are called in to do their work. The lawsuits will likely take years to come to an end. Ask Target. They are unfortunately still dealing with the fallout from a third party breach two and half years later.

Let’s Take a Closer Look at Experian’s Scorecard

The data and analytics company which is well known for its credit rating services for consumers via the FICO score, has an overall grade of a ‘C’ in our security risk benchmarking platform which weights 10 overall security categories and factors.

“It appears that Experian has a ‘D’ within the IP Reputation category (indicating persistent malware infections), a ‘C’ in Application Security (indicating improperly configured web applications), an ‘F’ in Network Security (indicating potentially vulnerable Internet-facing services such as FTP and telnet),” said Alex Heid, Chief of Research, SecurityScorecard. “We find that Experian is frequently mentioned within Hacker Chatter as malicious actors discuss ways to leverage the company for identity theft and pulling personal information about potential targets.”

Experian also has a ‘C’ in the Social Engineering category where our proprietary technology found nearly 100 (98) social network user logins that have been discovered using leaked employee email addresses. Our remediation advice which is featured in our benchmarking platform, offers the following solution to the social engineering dilemma:

“Provide security awareness training to help educate employees about the proper use cases of corporate credentials including explanation of the risk of spear phishing, credential reuse, and how to properly respond to a spear phishing campaign. “Consider the implementation of a policy regarding the use of enterprise resources when engaged in public social networking activity, which may sometimes be needed for business reasons.”

About SecurityScorecard

Managing vendor risk can be as simple as an instant security audit. Since SecurityScorecard is continuous, and features built-in alerting, actionable risk intelligence flows directly to you as it changes. Our benchmarking platform is self-service, so the most useful risk information is always available, on demand.

If you want to share the information, you can with our collaborative workflow that allows you to invite vendors to view and resolve issues seen on the Scorecard. Speed up the time to remediate risk at unprecedented scale. Know the security-risk posture of any company— instantly.