Stolen T-Mobile customer data already for sale on the dark web

Posted on Posted in Hacker News

The cache of 15 million customer records stolen from T-Mobile’s credit monitoring service Experian has reportedly been listed for sale on the dark web.

Irish fraud prevention and security firm Trustev told VentureBeat that its researchers have found data remarkably similar to the stolen from Experian for sale on underground marketplaces.

“This morning [the researchers] saw listings go up for ‘fullz’ data that matches the same types of information that just came out of the Experian hack,” said the Trustev spokesperson on 3 October.

“Once fraudsters get their hands on data, they typically unload it very quickly…it’s not definitely T-Mobile/Experian, but it’s extremely likely considering the type of data and timing.”

The term ‘fullz’ refers to a complete package of hacked data, which in this case is listed as social security numbers (SSNs), date of births, driving license information, email, phone numbers and home addresses, all of which are consistent with the data stolen from Experian.

Last week US mobile carrier T-Mobile admitted that the mass of data was compromised following a breach at its credit monitoring vendor.

The breach, which affects consumers who applied for T-Mobile services between 1 September 2013 and 16 September 2015, resulted in the exposure of names, addresses and birth dates, along with Social Security, driving licence and passport numbers.

The data loss has been blamed on compromised encryption, and was discovered on 15 September. It is now being investigated by federal and international law enforcement.

John Legere, T-Mobile US chief executive, said he is “incredibly angry” about the significant loss of data.

“We will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy very seriously. This is no small issue for us,” he said.

“I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.”

Legere added that the 15 million affected people are not all T-Mobile users, stressing that the total figure is made up of credit applicants and not just direct customers.

Experian, which has taken full responsibility for the breach, warned that the stolen data may lead to an increased risk of identity theft.

“Although we have no evidence suggesting your personal information has been misused, we take our obligation to help you protect your information very seriously, and deeply regret that this has happened,” the firm said.

“We encourage all eligible consumers to enrol in the complimentary identity resolution services we have offered.”

Craig Boundy, chief executive of Experian North America, said that his firm takes data privacy “very seriously”.

“We sincerely apologise for the concern and stress that this event may cause. That is why we’re taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation,” he said.

The breach is the latest in a long line of cyber attacks against high-profile targets, including the US Office of Personnel Management, United Airlines and a significant breach in 2014 at banking giant JP Morgan.

Legere has indicated that T-Mobile will look for an “alternative option” for customers who do not want to use Experian in the future.

Luke Brown, vice president and general manager at Digital Guardian, explained that third parties are often overlooked when it comes to data protection.

“While many businesses are placing more emphasis on their own data protection these days, it’s easy to forget that third parties in the supply chain pose just as much of a risk to security,” he said.

“Ultimately, T-Mobile’s customers aren’t going to care where and how the breach occurred. The bottom line is they trusted T-Mobile with their sensitive data and now that trust is broken.”

Guy Bunker, vice president of products at security firm Clearswift, added that the Experian incident is another example of a “long-lived attack which has taken years to come to light”.

“For Experian, this could prove disastrous. While they say that this is only a part of their business, how can we be sure? After all, it has been happening for two years without their knowledge,” he said.