It's like hearing your bodyguard was robbed outside your front door.
When Experian acknowledged Thursday that hackers had broken into one of its servers, it was bad news for everyone.
Not just the 15 million T-Mobile customers whose personal information was compromised. Not just the other clients of Experian's Decision Analytics service, through which the T-Mobile customer data was hacked. Not just for Experian and T-Mobile, which both took a reputation hit.
Because of the sensitive nature of the information stolen — including Social Security numbers, military ID numbers and passport data — this breach affects banks and any other U.S. companies that let people open or use accounts by providing personal information.
"The data of 15 million people has been exposed," said Richard Parry, principal at Parry Advisory in Chicago. "It can be used to impersonate for any number of purposes. That's a problem for the customer, and it's a problem for anybody who does verification on people in a remote-channel environment. It's a tool for account takeover."
Experian reassured the public that no banking or payment data was stolen.
But that is little consolation. When payment card data is breached, customers can be notified, card accounts canceled, and everyone can move on. In a theft of personally identifiable data such as this one, which included hard-to-replace identification numbers along with names, addresses, dates of birth and additional information used in T-Mobile's own credit assessment, that information can be used to compromise existing banking and card accounts and open new fake accounts.
"It's everything you need to impersonate somebody," Parry said. "And when aggregated with other, similar breaches, it builds up complete profiles that reinforce that ability."
The irony of this case is that Experian owns a respected data-breach-detection service used by many banks called 41st Parameter, which was founded by Ori Eisen.
"Pretty much anything Ori touches is respected," Parry said. "He's an icon in the security world. I don't doubt they had the best tools available."
Experian officials did not respond to requests for an interview, and it was unclear whether the company uses 41st Parameter's services itself.
"If this breach happened the way 99% of them happen, 41st Parameter could have helped," said Avivah Litan, vice president of Gartner. "You have to wonder if they're using it internally."
In most data breaches, hackers steal or guess credentials for an account through phishing or some other form of social engineering, or by using related information stolen from an earlier breach. Once the cybercriminals break into a computer, they deploy malware that searches for the credentials of more privileged users, until they hit a mother lode of valuable information. 41st Parameter's technology monitors log-in and account usage behavior to detect this kind of activity.
"41st Parameter probably catches 97% — 98% of suspect log-ins, with some false positives," Litan said.
Experian said in its disclosure that it encrypted some of the data affected but that hackers broke the code. That is to be expected as hackers can often access privileged accounts and render the encryption useless; privileged users automatically have the right tools to overcome it.
Darts and Laurels
One thing observers give Experian credit for is that only T-Mobile's data was affected; the company was able to segregate this client's data from the rest of its network.
Without that, the hackers "could have gotten 250 million Americans' credit reports, conceivably," said Litan. "So they did do something right."
It is a good practice to partition customer data, noted Al Pascual, director of fraud and security at Javelin Strategy & Research in Greenwich, Conn. "It may have been something they agreed to in working with T-Mobile," he said.
Parry does not give them any brownie points for this, however. "Do you see how far we've come [in] thinking, 'It's only 15 million. It wasn't so bad'?" he asked.
Some also credit Experian for notifying their clients and general public quickly (two weeks after the breach was identified).
"It's interesting that Experian is reported as having detected the breach," said Samuel Visner, general manager of cybersecurity at consulting firm ICF International in Fairfax, Va. "That may be good news in that it shows that Experian may be looking at their own network and logs. Not everyone does."
Other customers of Experian's Decision Analytics service may well be freaked out by this breach.
"They should be," notes Litan. "The No. 1 fraud issue for banks and other companies is new-account opening and identity verification. More identities have been compromised than haven't. I'm on the phone every day with clients about identity proofing, because credit bureau data is what you use for identity proofing."
Of the three major credit bureaus, Experian has offered the most added services, such as identity theft protection, and it has thereby grown market share.
"This is definitely going to erode their market share," Litan said.
However, all the credit bureaus are well entrenched in banks' underwriting and other systems and are not that easy to rip and replace, so this may take a while.
"It definitely hurts their reputation," Litan said.
Need for a National Response
Some say what this breach and the many others before it (including Trump Hotel Collection and the ABA this week) prove is that you cannot trust personally identifiable information to verify customers any more.
"PII data has become completely unreliable," Litan said. "People are still using it because there's nothing else easy to use around, but they're weaning off of it."
Parry believes these breaches are a symptom of a much bigger weakness in this country's infrastructure, and that there will continue to be identity problems until we have a national identity scheme that is coherent and robust, if inconvenient but effective.
"The response from many people is going to be, 'Eh, it's another one,' he said. "The politicians will get righteously indignant, they'll launch investigations and squander more taxpayer dollars, and the critical question is, what will be done that will drive a change?"