Experian breach puts T-Mobile customers in the crosshairs
In a previous article on Access Granted, I looked at a recent breach that impacted PNI Digital Media, a company that partners with major retailers to handle their online and kiosk photo printing services.
The breach of PNI Digital Media had a ripple effect across the retail industry. Since PNI partners with some of the world’s largest and most recognized retailers – including CVS, Rite Aid, Walmart Canada and Costco – the breach of their networks impacted the customers of these retailers. Ultimately, these companies were forced to disclose the breach to their customers and possibly lose customer loyalty as a result of the admission.
When I discussed this breach, I looked at the impact to the retailers that PNI Digital Media partnered with, and used it as an opportunity to preach caution when choosing and working with other enterprises. The PNI Digital Media breach perfectly illustrated how one company’s security vulnerabilities can impact a large ecosystem of other enterprises that they partner with.
Now, there’s an even better – and more frightening – example.
Just last week, Experian was breached. Experian is a global information services company that offers credit services, marketing services, decision analytics and consumer services to companies, and that aggregates personal and lifestyle data about consumers.
Unfortunately, much like PNI Digital Media, the impact of the Experian breach was felt across other organizations. Most notably, the mobile services provider T-Mobile. The company was used by T-Mobile and other companies to run credit checks and provide information on customers applying for financing and cellphone services.
According to Experian in a recent press release, the information that was exposed included, “…some personally identifiable information for approximately 15 million consumers in the US, including those who applied for T-Mobile USA postpaid services or device financing from September 1, 2013 through September 16, 2015, based on Experian’s investigation to date.” This incident did not impact Experian’s consumer credit database.”
The information that was exposed for these 15 million T-Mobile customers included, “…names, dates of birth, addresses, and Social Security numbers and/or an alternative form of ID like a drivers’ license number, as well as additional information used in T-Mobile’s own credit assessment.” The company did provide a silver lining in that, “No payment card or banking information was acquired.”
The breach of Experian is particularly disturbing because the company positions itself as a leader in cybersecurity. In fact, the company owns one of the credit monitoring companies that enterprises utilize to offer monitoring services to their customers when their own networks are breached. That service, ProtectMyID, was ironically the service chosen by T-Mobile to provide free credit monitoring services for their compromised customers.
The end result of this breach has been ugly for both Experian and T-Mobile, with multiple lawsuits being filed against both companies. According to an article by Bloomberg Business, “at least five such lawsuits were under way against T-Mobile and Experian, all seeking class-action status to represent everyone affected by the breach. A sixth lawsuit named only Experian.” In addition to the lawsuits, there is also the impact to T-Mobile’s brand and the cost – if any – that the company is paying for credit monitoring services for the 15 million compromised customers.
T-Mobile worked with a strategic partner for their credit checks, and that partner’s vulnerable network wound up costing them in brand loyalty and revenue. This is why it’s absolutely essential for enterprises to think more intensely about the security stature of the companies they’re planning to work with.