Presentation is loading. Please wait.

Presentation is loading. Please wait.

Millions of T-Mobile customers exposed in Experian breach

Published byDaniel Hugo McCormick Modified over 6 years ago

Similar presentations

Presentation on theme: "Millions of T-Mobile customers exposed in Experian breach"— Presentation transcript:

1 Millions of T-Mobile customers exposed in Experian breach
Ming Hu Abhay Kshirsagar Ariana Levinson Victoria A. Johnson Jianhui Chen Binu Anna Eapen

2 Overview Experian is a global information services company, it provides data and analytical tools to assist clients in managing consumer credit risk. T-Mobile is a major wireless network operator, it provides wireless and data services in the United States. T-Mobile hired Experian to process it’s credit applications Experian was allowed to host related data It’s an outsourcing relationship between T-Mobile and Experian

3 What happened Event reported: Sept. 15, 2015: An unauthorized party accessed T-Mobile data housed in an Experian server. Data at risk: Records containing name, address, Social Security number, date of birth, identification number (driver’s license, military ID, or passport number) and additional information used in T-Mobile's credit assessment of current customers and consumers who applied for T-Mobile USA postpaid services from 1st September through Sept 16, 2015 were accessed. Data not lost : Payment card/banking information,Experian’s customer database was not accessed.

4 What happened(continuation)
Steps taken by Experian: Ensuring web application firewalls are working as intended Enhancing security of encryption keys Limiting authorized access to the server Engaging U.S. and international law enforcement and cyber crime authorities Increased monitoring of the affected servers and associated systems Notifying the affected customers and offering free credit monitoring for 2 years and identifying resolution services as long as the customer needs Data Misuse: There is no evidence at this time that the data has been used inappropriately.

5 How it happened T-Mobile and Experian both acknowledged that encryption may have cracked by intruders. It has not been confirmed as to what encryption was used. Due to the intruder's ability to break into the Experian systems designed for keeping information encrypted and safe, is the reason they were able to steal encrypted data.

6 Impact T-Mobile USA’s consumer unit wasn’t hit. Experian, a vendor who processed credit applications for T-Mobile was hit. Customers: Individuals who applied for T-Mobile services from September 1, 2013 to September 16, 2015 15 million people hit by the breach PII Risks: Identity Theft, Utility Fraud, Tax Fraud, Medical Fraud T-Mobile: Legal: Six lawsuits filed against T-Mobile and Experian accusing companies of negligence and violations of consumer protection laws, claim the stolen data is already appearing for sale in corners of the Internet known as the dark web. Financial: Shares were down 1.3% Consumer unit wasn't hit, it was the vendor (experian) who possessed the credit application. So T-Mobile was using Experian to process their credit applications. That means if you applied for service or device financing with T-Mobile between September 1, 2013 and September 16, 2015, you may be affected even if you’re not currently a T-Mobile customer. The 15 million people hit by the breach represent more than a quarter of Bellevue, Washington-based T-Mobile's 58.9 million customers, although some of the affected are no longer subscribers. The stolen data includes names, birth dates, addresses, and Social Security and drivers' license numbers, but not credit card or payment information. The information that was exposed could lead to an increased risk of identity theft. Although Experian has no evidence suggesting your personal information has been misused, they take their obligation to help you protect your information very seriously, and deeply regret that this has happened. Experian encourages all eligible individuals to enroll in the complimentary identity resolution services Experian has offered. Utility fraud All it takes to set up an account with most utility companies is a street address and a Social Security Number (SSN). From there, thousands of dollars in gas, electric and other bills can be amassed quickly if a customer’s SSN falls into the wrong hands. Tax fraud Victims of PII theft have reported instances of tax returns filed in their names to claim tax refunds. Aside from the obvious financial issues this causes, the false returns can hurt a person’s standing with the IRS for years to come. Medical fraud Using stolen PII to claim prescriptions and accrue other medical expenses is becoming more common. People have received notices of prescription drug charges and emergency room stays they never used, all because some of their personal information was compromised.

7 Root cause analysis T-Mobile stored its customer data on third party vendor-- Experian As a research shows there is up to 63% of all data breaches is caused by a third party vendor. Vulnerabilities: Vulnerabilities were identified in encryption algorithm used. Possibly the encryption technology was not updated timely or needed more enhanced algorithms. The web application firewall not working as intended. The ineffective detective control:   The hacker could hack the existing controls in place and get up to 15 million customer information.

8 Controls to remediate security and lessons learned
Experian Implement a vulnerability management tool (Qualys, Nessus, etc.) Scan regularly and often. When updates or patches are pushed out, they should be applied within 30 days. Limit the number of people with physical and logical access to the servers. Carefully test all changes, patches, and configurations before implementation in Production, to ensure they are not unintentionally undermining the established security controls. ALL Personally Identifiable Information (PII) i.e. Name, DoB, SSN, Addresses, Phone #s, etc. should be strongly encrypted within the systems they are stored in. Should a breach occur and data stolen, that data should not be readable. T-Mobile Caught between a rock and a hard place - Credit checks and a limited marketplace

9 Thank you Q&A

Download ppt "Millions of T-Mobile customers exposed in Experian breach"

Similar presentations

Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.

Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Identity Theft …It could be you But This Presentation is by me, Michelle Richards.

Identity Theft …It could be you But This Presentation is by me, Michelle Richards.
COMPUTER CRIMES CREDIT CARD FRAUD “A BILLION DOLLAR PROBLEM”

COMPUTER CRIMES CREDIT CARD FRAUD “A BILLION DOLLAR PROBLEM”
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
Parachute Neighborhood Watch Presentation February 9, 2010.

Parachute Neighborhood Watch Presentation February 9, 2010.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Identity Theft Presented by Christina Williams and Lazaro Juarez Orange County’s Credit Union.

Identity Theft Presented by Christina Williams and Lazaro Juarez Orange County’s Credit Union.
Protecting Your Identity: What to Know, What to Do.

Protecting Your Identity: What to Know, What to Do.
Deter, Detect, Defend: The FTC’s Program on Identity Theft.

Deter, Detect, Defend: The FTC’s Program on Identity Theft.
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.

1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Holley Myers CSCI101 Lab Lecture Thursday 2:00 10/25/07.

Holley Myers CSCI101 Lab Lecture Thursday 2:00 10/25/07.
OCPA NEIGHBORHOOD WATCH PROGRAM THE OHIO CRIME PREVENTION ASSOCIATION IDENTITY THEFT.

OCPA NEIGHBORHOOD WATCH PROGRAM THE OHIO CRIME PREVENTION ASSOCIATION IDENTITY THEFT.
It could be you! Or is it?  Identity theft is when someone uses your personally identifying information, like your name, Social Security number, or.

It could be you! Or is it?  Identity theft is when someone uses your personally identifying information, like your name, Social Security number, or.
1 Personal Health Information Data Breach. What Happened? March 10, 2012: Computer hackers illegally access a Department of Technology Services (DTS)

1 Personal Health Information Data Breach. What Happened? March 10, 2012: Computer hackers illegally access a Department of Technology Services (DTS)
Texas House of Representatives Committee on Criminal Jurisprudence Testimony of Randall S. James Banking Commissioner Texas Department of Banking August.

Texas House of Representatives Committee on Criminal Jurisprudence Testimony of Randall S. James Banking Commissioner Texas Department of Banking August.

Similar presentations

Ads by Google