Chances are that by now — especially if you’re one of the 15 million unfortunate people who were directly affected — you’ve seen the news of yet another massive data breach, in which the records of 15 million T-Mobile customers were stolen from Experian, the vendor that processes the mobile phone carrier’s credit applications.
According to statements by both companies, the customer data was exfiltrated over a period of two years, from September 2013 to September 2015. And according to Experian’s statement released Thursday, the compromised records “contain name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T- Mobile’s own credit assessment.”
In other words, here you have everything that criminals need to create false identities for all kinds of fraudulent purposes — which will in turn create months of havoc and expense for these individuals. The fact that “no payment card or banking information was obtained” is truly beside the point.
The fact that T-Mobile’s CEO is “incredibly angry about this data breach” is beside the point as well, as is the now obligatory statement from the PR firm playbook: “I take our customer and prospective customer privacy VERY seriously.”
See, we know he’s really serious because he uses both boldface font and he puts the word “very” in uppercase! It’s another sad example straight out of my Incident Response Report Card — unfortunately, from the upside-down, what-not-to-do ‘Screwtape’ version.”
Are we really surprised that these centralized repositories of consumer information are a prime target for criminals? This information will undoubtedly be used to create false identities, and Aberdeen has pointed out before that the payoff goes up between 3.5 to 10 times by moving from mere false identities to complete, prepackaged identity theft kits. This then goes up by an additional six times by moving from full-featured identity theft kits to actually carrying out fraudulent borrowing and spending.
What consumers want — and deserve — is not another two years of free credit monitoring and identity resolution services layered on top of the others that have been provided in the wake of other breaches. Consumers want — and deserve — that the organizations we trust actually invest in what it takes to secure our personal information that they store on their servers.
For more information on how Best-in-Class organizations are mitigating risk in their organizations, check out all of Aberdeen Group’s IT Security research, available 100% free of charge to registered community members.