A data breach at Experian is about as scary as it gets, considering the huge trove of sensitive consumer information stored at the big credit bureau.
“Since it’s their business to store and monitor and protect (consumer) information, this is not just a black eye,” said cybersecurity expert Stu Sjouwerman, CEO of security training company KnowBe4 LLC. “This is much worse.”
Experian on Thursday admitted that one of its servers was hacked, exposing identifying details of about 15 million U.S. consumers who applied for T-Mobile telephone accounts. The exposure included their names, addresses, Social Security numbers, birth dates and other identifying information such as driver’s license numbers.
That’s the sort of data that fraudsters use to steal your identity. But without making light of the danger, there are some glimmers of hope in the breach news as well.
“Assuming that the breach doesn’t expand in scope, I think Experian seems like they’ve done the right things around containment,” cyber security expert Tim Erlin said in an interview.
Erlin is director of IT security and risk at the data security company Tripwire. Given that data breaches are a fact of life, he said, companies need to limit their spread by designing their data architecture in segmented fashion. This will contain the damage of any one hack. Most businesses would replicate their server architecture, leaving larger troves of data vulnerable.
“If the breach really is limited to T-Mobile customers, then they (Experian) must be separating that data in a way that keeps other customers protected,” he said.
Experian’s customers are companies like T-Mobile that buy limited access to its vast warehouse of credit information on consumers. T-Mobile does a credit check on applicants before granting them monthly-billed phone service — and so do other phone companies, utilities, credit card issuers, and on and on.
If you’re one of the 200 million-plus Americans who have a credit file, Experian probably knows all about you. It houses data on every account you have, including ones that closed long ago, plus most or all of your past addresses, phone numbers and employers. All that data is neatly organized under your name, Social Security number and date of birth. Very similar information about you is housed at the other two big credit bureaus, Equifax and TransUnon.
If you think of a single account number or Social Security number as a key to your identity, your credit file is the whole keyring. The last time I checked my credit report it reminded me of old accounts and addresses I’d forgotten about. In a sense, my credit report remembered more about me than I did.
If the consumer credit database goes missing, identity theft would get such a huge boost, it could derail the financial industry. With that data floating around, it would be difficult to impossible for lenders to grant new loans and open new accounts.
In its announcement, Experian was careful to make it clear that the breach of T-Mobile customer data was far short of a hack into the main trove of consumer credit files. “Experian’s consumer credit database was not accessed, and no other clients’ data was accessed,” the company said in a statement on its website.
Experian called the breach an “isolated incident” that occurred over a limited time between Sept. 1 2013 and Sept. 16, 2015.
As often happens, the scope of the hack might widen in future announcements. Details about how the attack worked are unknown for now. Experian said it is cooperating with law enforcement investigators. Sjouwerman suspects that it will turn out that human error was as much to blame as a technological lapse, if not more so. System administrators and others with high-level access must be wary of every email and phone call they get, lest they inadvertently hand over the keys to hackers.
“Social engineering is the fastest way for the hackers to get in,” he said. “The weak link is the human.”
As for the rest of us, there is not much more to do but to undertake the self-protection measures that are repeated each time a breach hits the news: Keep tabs on your credit report, credit card statements and bank accounts, with an eye out for fraudulent transactions or new account openings. And if you’re concerned that your identifying details have been exposed, consider putting a temporary fraud alert on your credit report, or a more serious credit freeze.