Data Privacy and Security

What can we learn from the Experian breach?

This is a contributed piece by Max Vetter, Cyber Security Trainer and Analyst at QA


When Experian, the world’s largest consumer credit monitoring firm, recently disclosed it had suffered a massive data breach of an internal network server, the fallout proved intense for all concerned.

Hackers had stolen the personal information of up to 15 million T-Mobile US customers, including new applicants requiring a credit check for service or device financing from 01 September 2013 through to 16 September 2015.

The breach occurred at an Experian US subsidiary used by T-Mobile to process information on US subscribers. According to Experian, while no payment card or banking information was obtained the breach potentially exposed the personal information of millions of T-Mobile customers.

The personal data exposed included information such as name, address and date of birth, social security numbers and ID numbers – typically a driver’s license, military ID or passport number – and additional information used in T-Mobile’s own credit assessment.

The Experian hack is just another of a series of high-profile breaches of security to hit the headlines and follows in the wake of much publicised cyberattacks on Sony, Staples, Target and Home Depot in the US. In the UK, Carphone Warehouse revealed in August that personal details of up to 2.4 million of its customers may have been stolen.

Worryingly, it’s been widely reported that data hacked from Experian is already on sale on the Dark Web – making it readily available to phishers, malware writers and ID thieves.

Despite the fact that no financial information was stolen during the breach, the completeness of the sensitive personal data taken by the hackers will tick every box for professional identity thief. Using this information, fraudsters will have everything needed to set up new lines of credit, or file for a phoney tax refund.

With US consumer privacy groups calling for a Federal investigation into the Experian hack, T-Mobile’s CEO John Legere has publically voiced his anger at the breach and stated his company is reviewing its links with Experian. Meanwhile, T-Mobile customers and applicants in the US are being advised to immediately place fraud alerts on their credit records or pay for security freezes.

Without question, the immediate reputational damage for Experian has been significant. Just days after the data breach announcement, the FTSE 100 company experienced its worst trading session in 18 months and is currently facing a growing number of lawsuits seeking class-action status to represent everyone affected by the breach.

And while Experian is adamant that its credit report files – containing data on over 200 million consumers – were unaffected by the recent cyberattack, there’s public uncertainty being voiced around how long the hackers were in Experian’s system and what other data may be vulnerable as a consequence. This critical loss of trust will represent a significant hurdle for the company to overcome.

According to analysts at Barclays bank, the robustness of Experian’s response to this most recent incident will prove critical to its ability to rehabilitate its consumer business and estimate the initial financial cost of the incident is likely to cost Experian in the region of $10 million.

The analysts go on to say that data breaches and cyberattacks are becoming increasingly commonplace and that it is unlikely that Experian’s competitors will be singing from the rooftops, as any large data player is at risk from hackers and ID theft.

All of which underlines how even the most experienced and seemingly protected entities – ironically, Experian’s business is that of handling and protecting data - appear vulnerable to highly motivated and advanced hacker groups.

Perhaps it’s time we all paid more attention to how much data we give away to companies each time we undertake a ‘click to accept’ action online. In the meantime, the Experian hack represents a wakeup call for any company entrusted with the data of others – customers, patients, employees. With 90% of large businesses suffering a security breach in the past year, no one can afford to be complacent about or unaware of cyber security.



Further reading:

Infoshot: How much is your stolen data worth?

Expert comment: TalkTalk cyber-breach

OPM breach: What does this mean for governments?

Infographic: We are the weakest link


« This month in M&A: Why Uber and Airbnb's European expansion may not increase their market values


How tech providers have evolved with the data revolution »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?