Monday, October 05, 2015

Experian data breach exposes the supply chain security fustercluck

Experian bills itself as “the UK’s most trusted credit monitoring service” but, in the light of the data breach that has compromised the records of some 15 million T-Mobile (US) customers it might have to reconsider that description the other side of the pond. The as yet unknown hacker, or hackers, managed to acquire the records of customers and applicants requiring a credit card check (successful or not) for service or device financing between the 1st of September 2013 and September 16th 2015. Just for the record, yes you did read that right. To pour a little more accelerant into the flames, the breach was not revealed to customers until 1st October. Which makes another Experian strapline, this time from the Experian Data Breach Response Service service, seem equally irrelevant: “Respond, reassure and recover quickly in the event of a data breach.” Yeah right… T-Mobile CEO, John Legere, is pretty angry and says the stolen data includes customer name, address and birth date as well as encrypted fields with Social Security number and ID number (which might be a driver’s license or passport), as well as additional information used in T-Mobile’s own credit assessment.“Experian has determined that this encryption may have been compromised” Legere admits, going on to state that “I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian” as well as the usual stuff about assisting customers and taking security seriously of course. Legere also took the opportunity to assure customers that “neither T-Mobile’s systems nor network were part of this intrusion”. So that’s OK then! Is Experian really so self-important that it thinks people should trust it when it comes to mopping up this mess? Less OK, for many observers, is the fact that while that relationship review is made, T-Mobile has gone ahead and told customers impacted by the breach it can have a couple of years free credit monitoring and identity resolution service from, are you sitting down, the very company that allowed their data to be compromised in the first place.