Once more unto the breach. Welcome to October 2015 and yet another high-profile breach of consumer data. T-Mobile just announced hackers have grabbed the personal data for over 15 million applicants. That’s everyone for the last two years.
It appears, though, that T-Mobile was not at fault.
Instead, hackers targeted one of nation’s top three credit bureaus, Experian. Experian performs credit checks for T-Mobile, then stores the results away. The data thieves made off with applicants’ names, addresses, birthdates and social security numbers. That’s plenty of data for identify theft.
We often talk about protecting corporate data assets. But aren’t our customers the most valuable assets of all?
Who’s at fault here?
It’s true that this breach is smaller than Anthem’s 40 million breach. And it’s less than the 21.5 million exposed when hackers targeted the Federal government. But 15 million is still a lot of people.
Experian claims it had encrypted the data, but admits it “might” have been compromised. That means it’s likely it was compromised. So all those customers will have to worry about their data falling into the wrong hands for years to come.
We can argue about whose responsibility it is to protect that data. Sure, T-Mobile requires a credit check before approving new service. But is it appropriate for Experian – a third party – to store the results for so long? And if so, shouldn’t the encryption be tighter, or sensitive information removed or scrambled?
You can offer to pay for their credit monitoring, but … Damage your customers’ credit or identity, and you damage your own reputation.
Your customers’ financial integrity is at risk
We think of data security as keeping our corporate data out of competitors’ hands. But as the Experian breach shows, one of our most precious data assets is our customers’ data. If we mishandle that data, we lose our customers’ trust – and likely their business revenue – forever.
Hackers want information they can exploit for monetary gains, with the least trouble. So unless you’ve got trade secrets laying around, they’ll go after your customers’ data. With that, they can run up massive credit card charges before your customers are even aware.
Sadly, in this instance the victim is the protector of consumer credit information. As a major credit bureau, Experian determines a consumer’s credit worthiness. It should, then, be able to protect such data. And if not, how are the rest of us to feel?
Protecting ourselves – and our customers
Such a breach shouldn’t just make us “shake in our boots.” It should make us question some of our business practices.
We rely on companies like Experian for credit reporting, especially for our new customers. But we should question what those companies do with the data, after we get the credit scores. Beside the data and result of a credit inquiry, does Experian need to hold the full dataset forever?
Third-party vendors aside, we need frequent review of our own data retention policies. And that includes the network access to get at such data. If hackers can breach Experian’s defenses, then our own data stores are just as vulnerable.
Of course, no IT security policy can be 100 percent secure, 100 percent of the time. But as Anthem, the Feds, and Experian have shown us, we must keep constant vigilance over our data. That means protecting both our corporate information assets and those of our customers by:
- Performing regular attack and penetration testing on our network
- Addressing vulnerabilities immediately
- Enforcing our user management policies
- Reassessing our network and data protection regularly
When was the last time you reviewed your network and data security policies? Let us know how we can help, and tell us about it in the Comments section.