Millions of T-Mobile customers exposed in Experian breach Ming Hu Abhay Kshirsagar Ariana Levinson Victoria A. Johnson Jianhui Chen Binu Anna Eapen

Overview Experian is a global information services company, it provides data and analytical tools to assist clients in managing consumer credit risk. T-Mobile is a major wireless network operator, it provides wireless and data services in the United States. T-Mobile hired Experian to process it’s credit applications Experian was allowed to host related data It’s an outsourcing relationship between T-Mobile and Experian

What happened Event reported: Sept. 15, 2015: An unauthorized party accessed T-Mobile data housed in an Experian server. Data at risk: Records containing name, address, Social Security number, date of birth, identification number (driver’s license, military ID, or passport number) and additional information used in T-Mobile's credit assessment of current customers and consumers who applied for T-Mobile USA postpaid services from 1st September 2013 through Sept 16, 2015 were accessed. Data not lost : Payment card/banking information,Experian’s customer database was not accessed. http://www.t-mobile.com/landing/experian-data-breach.html

What happened(continuation) Steps taken by Experian: Ensuring web application firewalls are working as intended Enhancing security of encryption keys Limiting authorized access to the server Engaging U.S. and international law enforcement and cyber crime authorities Increased monitoring of the affected servers and associated systems Notifying the affected customers and offering free credit monitoring for 2 years and identifying resolution services as long as the customer needs Data Misuse: There is no evidence at this time that the data has been used inappropriately. http://www.t-mobile.com/landing/experian-data-breach.html

How it happened T-Mobile and Experian both acknowledged that encryption may have cracked by intruders. It has not been confirmed as to what encryption was used. Due to the intruder's ability to break into the Experian systems designed for keeping information encrypted and safe, is the reason they were able to steal encrypted data. http://www.computing.co.uk/ctg/news/2428901/experian-t-mobile-hack-shows-encryption-no-panacea-for-security-warns-tor-co-founder

Impact T-Mobile USA’s consumer unit wasn’t hit. Experian, a vendor who processed credit applications for T-Mobile was hit. Customers: Individuals who applied for T-Mobile services from September 1, 2013 to September 16, 2015 15 million people hit by the breach PII Risks: Identity Theft, Utility Fraud, Tax Fraud, Medical Fraud T-Mobile: Legal: Six lawsuits filed against T-Mobile and Experian accusing companies of negligence and violations of consumer protection laws, claim the stolen data is already appearing for sale in corners of the Internet known as the dark web. Financial: Shares were down 1.3% Consumer unit wasn't hit, it was the vendor (experian) who possessed the credit application. So T-Mobile was using Experian to process their credit applications. That means if you applied for service or device financing with T-Mobile between September 1, 2013 and September 16, 2015, you may be affected even if you’re not currently a T-Mobile customer. The 15 million people hit by the breach represent more than a quarter of Bellevue, Washington-based T-Mobile's 58.9 million customers, although some of the affected are no longer subscribers. The stolen data includes names, birth dates, addresses, and Social Security and drivers' license numbers, but not credit card or payment information. The information that was exposed could lead to an increased risk of identity theft. Although Experian has no evidence suggesting your personal information has been misused, they take their obligation to help you protect your information very seriously, and deeply regret that this has happened. Experian encourages all eligible individuals to enroll in the complimentary identity resolution services Experian has offered. Utility fraud All it takes to set up an account with most utility companies is a street address and a Social Security Number (SSN). From there, thousands of dollars in gas, electric and other bills can be amassed quickly if a customer’s SSN falls into the wrong hands. Tax fraud Victims of PII theft have reported instances of tax returns filed in their names to claim tax refunds. Aside from the obvious financial issues this causes, the false returns can hurt a person’s standing with the IRS for years to come. Medical fraud Using stolen PII to claim prescriptions and accrue other medical expenses is becoming more common. People have received notices of prescription drug charges and emergency room stays they never used, all because some of their personal information was compromised.

Root cause analysis T-Mobile stored its customer data on third party vendor-- Experian As a research shows there is up to 63% of all data breaches is caused by a third party vendor. Vulnerabilities: Vulnerabilities were identified in encryption algorithm used. Possibly the encryption technology was not updated timely or needed more enhanced algorithms. The web application firewall not working as intended. The ineffective detective control:   The hacker could hack the existing controls in place and get up to 15 million customer information. http://blog.eiqnetworks.com/blog/the-experian/t-mobile-breach-is-it-possible-to-predict-big-hacks http://blog.securityscorecard.com/2016/07/20/third-party-vendor-breaches-2016/

Controls to remediate security and lessons learned Experian Implement a vulnerability management tool (Qualys, Nessus, etc.) Scan regularly and often. When updates or patches are pushed out, they should be applied within 30 days. Limit the number of people with physical and logical access to the servers. Carefully test all changes, patches, and configurations before implementation in Production, to ensure they are not unintentionally undermining the established security controls. ALL Personally Identifiable Information (PII) i.e. Name, DoB, SSN, Addresses, Phone #s, etc. should be strongly encrypted within the systems they are stored in. Should a breach occur and data stolen, that data should not be readable. T-Mobile Caught between a rock and a hard place - Credit checks and a limited marketplace

Thank you Q&A