Over the past few days, Scottrade and T-Mobile both notified the public that portions of their respective customer information may have been stolen by criminals.
In the case of Scottrade, hackers apparently accessed as many as 4.6 million customer names and addresses on the brokerage firm's information systems between sometime in late 2013 and February 2014; according to the company, customers who opened accounts since then were not affected. Scottrade didn't even discover the breach; it found out that its data had been stolen when federal investigators notified it of an ongoing investigation-an unimpressive situation that raises questions about whether other information-security weaknesses may be present.
T-Mobile's data leak was a bit more complicated, as it occurred via a breach at Experian, which processes the communications firm's credit checks. According to the T-Mobile's CEO, John Legere, "The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015."
The data potentially stolen by hackers includes T-Mobile's customers' names, addresses, birthdays, and Social Security numbers, as well as other data including information from government-issued IDs used when opening accounts. The data stolen also included information from people who applied for credit with T-Mobile, but whom did not ultimately open accounts. While some of the pilfered data was stored in encrypted formats, according to Legere, Experian told T-Mobile that the encryption may have been compromised. It should be noted that Experian has been criticized in the past for failing to protect data from unauthorized access via credentials stolen from its customers.
It is somewhat ironic that two major breaches were announced on the first two days of National CyberSecurity Awareness Month, but, perhaps, the timing just highlights the awful truth about cybersecurity in today's America: It is severely deficient.
What is perhaps even more scary is how firms address the risk to users after breaches. Like so many other major corporations that have been breached, the firms involved are offering free credit monitoring and identity theft protection services to those customers who may have been affected. Customers should definitely take advantage of this service-although, especially in the case of the T-Mobile-Experian breach, it may offer grossly inadequate protection. (Ironically, the service being offered by Experian is its own service-something that may not instill the greatest confidence.)
When credit cards are stolen, the information on them goes stale pretty quickly; credit card numbers have limited shelf life. A number stolen today, for example, loses value very quickly when sold on the Darknet (online black-market)-fresher numbers are seemingly always available, the odds of a number working diminish with time, and the odds of getting caught committing a crime with a stolen number go up as time progresses. Identity information, on the other hand, does not lose value with time-in fact, if it is unused, such data usually increases in value as it ages. Criminals know that after a person is notified of a major breach he or she may receive free credit monitoring for a couple years, and may be vigilant about checking credit reports and the like for a while. But, several years later, after the person has experienced no harm, his or her level of vigilance drops, the free credit monitoring service ends, and memories of the breach are relegated to the back burner. And that is precisely when sophisticated criminals use the stolen data to commit identity theft and other crimes.
Likewise, while some crooks may seek to exploit the Scottrade data immediately, wise criminals may wait some time for customers' vigilance to die down before attempting to social engineer or otherwise target Scottrade customers based on the information obtained via the breach.
Ironically, some experts are saying that the two breaches announced this week were not so bad because no credit card data leaked; I disagree. The Scottrade information can be used by clever criminals to trick people into giving them all sorts of information: "This is Scottrade calling about your account. We have detected some suspicious activity. Please confirm your mother's maiden name so we can reset your password." The T-Mobile breach-clearly far worse-creates long term risks for customers: Social Security numbers, birthdays, and other similar information is normally not changeable for life. Passports are valid for ten years, drivers' licenses can have the same numbers on them as long as someone has a license. One cannot quickly change or replace these like a credit card, or address the long-term risks created by the pilfering of these types of data with a year or two of credit monitoring.
For some tips how to stay secure if your information may have been breached, please see my article: 10 Ways To Protect Yourself After Your Personal Information Is Stolen
Please feel free to discuss this article with me on Twitter. I am at @JosephSteinberg.