The original iTWire article this morning is here. It is a good backgrounder if you are unaware of the details.
No group has claimed responsibility yet, nor made a ransom demand to return the data, indicating that it was a premeditated attack for the purposes of obtaining personal data for identity theft. At current market value, that information could be worth up to $300 million dollars if sold to cyber-criminals for the purpose of ID Theft. That is likely if the extent of the information is as comprehensive as suggested in international news reports.
Hackers then incorporate that stolen information into a larger, searchable database that may have other information about you making it easy to steal your identity. A stolen identity leads to stolen tax refunds, ruined credit, and worse. It is worse in the USA because of every man, woman and child has to have a social security number – a unique number that ties all records together.
Eva Velasquez, the CEO of the non-profit Identity Theft Resource Centre said, “There are many more steps you have to take to minimize your risk when your Social Security number is compromised versus payment card data. Payment cards can be cancelled, ending the harm. But thieves can use someone's Social Security number to open new financial accounts and take out new loans for big-ticket items like cars and they can file a false tax return in your name.”
Experian said hackers stole T-Mobile customer names, addresses, Social Security numbers, birthdays, and even sensitive identification numbers (like a driver's license, military ID or passport number) and that the encryption of sensitive personally, identifiable, information (PII) was likely compromised.
Experian, one of the largest credit brokers in the world, gathers vast amounts of incredibly PII data on all Americans, made it clear that hackers did not access its other computers that house data for other companies. "This was an isolated incident of one server and one clients' data," Experian said.
Experian’s reach extends into almost all areas of American life - customer loyalty cards that track the purchases of everyday necessities to public records including real estate liens and bankruptcy. Its vast database is widely used by automated advertising networks to load ads relevant to a given user, but it has many other applications.
Experian is not squeaky clean. In a previous incident, hackers stole at least 200 million identities from its database – this time belonging to Target USA (no relation to Target Australia owned by Wesfarmers though sister company Kmart has just been hacked)
Experian has also sold the PII data of millions of Americans to a fraudster in Vietnam. Hieu Minh Ngo, now 25, was caught and admitted to posing as a private investigator in Singapore to get exclusive access to PII data via Court Ventures, an Experian subsidiary. Ngo then sold access to fellow criminals. Cyber-criminals are alleged to have accessed that database 3.1 million times. It was not until U.S. Secret Service agents alerted Experian that the practice stopped.
According Barry Kouns, a security professional who maintains a Cyber Risk Analytic database of major data breaches, Experian's databases have been involved in 97 breaches of personal information.
"Based on our research, it appears that data brokers place a high value on collecting and using our information but not so much on protecting it," Kouns said.
Nearly 800 major and reportable data breaches by US organisations were identified in 2014, according to the Identity Theft Resource Centre.
The upside is really the downside
Experian's offer may be a two-edged sword. It is offering T-Mobile customers two years of free credit monitoring and identity protection. All of which requires customers to give more information to the company that has reportedly had 97 leaks!
"Customers will be cynical about using credit monitoring from Experian," said Gartner security analyst Avivah Litan. "Why would you trust someone with your account that has been breached?"
There have been a string of high-profile hacks of businesses and other organizations recently affecting millions of people, including adult (or is that adultery) website Ashley Madison, Sony Pictures, the insurer Anthem, Home Depot, Target, eBay, and the U.S. Office of Personnel Management.
“The irony is that so many companies have used Experian as a ‘clean room’ to put their data together with other companies’ data to keep it from being personally identifiable. That very ability can make everything personally identifiable,” said Jon Mandell, formerly of Precision Demand and now a consultant to the industry.
While I was researching this, I came across CNN Money’s excellent web site and an article titled ‘What hackers know about you’.
It ihas also making it n Demand and now a consultant to the industry. you., sfarmers_)ehensiver r identity theft. At current marekes chilling and worth a visit just to click randomly on a few suppliers that have been hacked to see the extent of information collected. For example:
Bottom line – walk softly and leave a very small, light, digital footprint.