Experian, Part two

It's a little strange that I wrote about an Experian related breach last week, and this week I'm dealing with an Experian related breach first-hand this week.

Sometime during the week, I got a notice from Experian that my personal information may have been compromised.  This notice was sent to T-Mobile customers who applied for T-Mobile service, and includes info such as birthday, social security numbers, name, address, etc.  In consideration of my information being exposed, Experian offered me two years worth of credit monitoring for free.  Almost certainly, legally speaking, if I accept the credit monitoring, it would be considered a legal settlement and I can't pursue it further.  After all, the monitoring mitigates the damage.

Here's the problem- I am not a T-Mobile customer, have never been a T-Mobile customer, and don't even have any cell phone contract.  I'm a month to month customer, as is my son, and there's no credit check for a month-to-month service.  I am not exaggerating- I think the last time I had a cell phone contract was in the 1990s.

So why am I getting this letter?

There's a few possible explanations.  First, my son's cell phone service is through a carrier that uses the T-Mobile network.  Before that, his carrier decided to stop offering cell phone service and recommended that all of their customers switch to T-Mobile.  I find this possibly the most likely choice, but it's problematic (I will get to that in a moment).

Second possibility: my ex-step-daughter has used T-Mobile in the past, and I have evidence she has not switched her license since moving out over a year and a half ago.  This may have released my address, and possibly my name.  Depending on what information the credit reporting agencies get, I suppose it's possible that my social security number is linked with that address.  So when she turns 18 and gets a cell phone plan, they ask for her ID and run a credit check.  The address gets pulled up and possibly my social security number (again, depending on the info they get), and when the info was breached, it included my info, despite my never having anything to do with T-Mobile directly.  I find this less likely.

Third, it's a mistake.  Because my son's cell phone carrier uses the T-Mobile network, it auto generated this letter.  However, since I'm not on contract, my info wasn't actually released.  This is another likely possibility.

The reason the first explanation is so problematic is that it means I truly have no control over my info.  Even when I choose to not deal with a company, my info is sold to that company and I can't opt out.  In other words, I don't have the option of avoiding the risk unless I completely refuse to have a cell phone.  If my info is sold and I cannot opt out by refusing to have a cell phone contract, then my information is at risk simply because I own a cell phone.  To phrase it even more succinctly- I don't have any real risk mitigation options in the modern world.

As a future lawyer (specifically one focusing her practice on information privacy/cyber-law), this disturbs me greatly.  The law is big on determining who should have the blame.  In certain states, if you are even one percent at fault for something bad that happened to you, you cannot recover*.  That leads to an obvious question- am I at least one percent at fault for owning a cell phone?  After all, I could have opted out.  It's not something I was forced to accept, and I willingly purchased my son a phone and paid his monthly service fee.  I believe there is a good chance the court would see me as at least 1% responsible, which means I can't recover anything.

Let that sink in for a minute...  I refuse to enter a contract with ANY cell phone carrier because I don't want to share personal information.  The business isn't profitable enough for them, so they sell what info they do have to another company as part of a buy-out.  If I accept the credit monitoring, I can't later complain that they never should have had my info to begin with.  And if I decide that I'd rather complain about that, I can't recover anything because I willingly had a cell phone- like almost every other non-Amish citizen of the United States.



*This is fairly rare these days, but quite a few states do still bar recovery if you are more at fault than the other party.

References:
Finkle, J. (2015, October 1). Millions of T-Mobile customers exposed in Experian breach. Retrieved October 26, 2015, from http://www.reuters.com/article/2015/10/02/us-tmobile-dataprotection-idUSKCN0RV5PL20151002

Court ventures breach

One of the most idiotic data breaches occurred in October, 2013 when Court Ventures, a company owned by Experian credit reporting service, sold a Vietnamese identity theft group the records of over 200,000,000 million people.

Oops.

The Vietnamese group practiced identity theft, gathered records (including social security numbers), and then sold this info to people willing to buy that personal info.  Court Ventures didn't check into the legitimacy of the Vietnamese group before selling the info.  In other words, Court Ventures collected a lot of personal information from consumers, sold that information to a client in Vietnam, and that client in turn sold it to its clients who are buying it presumably for nefarious purposes.

The term "identity theft" usually implies that someone's information or identification is being stolen.  But what is it called when it's lawfully (if carelessly) sold to a person who shouldn't have it?  It's called a data breach.  Imagine having to tell over 200,000,000 people that although they entrusted you with their information on loan applications, credit checks, etc., you sold that information to what many would consider hackers.  That leaves the CEO in a very bad situation, even if he put himself there.

Granted, this was not a situation that involved hacking.  In my opinion, it's much worse.  Hacking is when someone has made at least a minimal effort to secure information that shouldn't be seen, but someone has been able to access that information anyway.  This is a situation where you have information that shouldn't be seen, but nobody has broken in.  Instead, the kind of people you want your information are being sold that exact information that they shouldn't see.  You not only weren't protected- your secret information was sold so that the company could profit, and they were so careless and greedy that they didn't care whether the information should be secret or not.


References:

McCandless, D. (2015, October 2). Ideas, issues, knowledge, data - visualized! Retrieved October 19, 2015, from http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

McCarthy, N. (2014, August 26). Chart: The Biggest Data Breaches in US History. Retrieved October 19, 2015, from http://www.forbes.com/sites/niallmccarthy/2014/08/26/chart-the-biggest-data-breaches-in-u-s-history/

Indiana University- Week Seven

Since I started this blog as part of an assignment for my Master's in Cybersecurity, I wanted to take a look at a data breach involving a University.  These aren't that prevalent, which is a good thing, but it leaves me curious why more colleges aren't hacked.  You have a large number of college students, most of them somewhere between frazzled and partying, and they've handed over an enormous amount of personal information to the University.  I hope that it's because in academic settings, more educated people are paying better attention to the data security, but I don't know if that's accurate or not.  Whatever the reason, it's a good thing more University hacks and breaches haven't occurred.

In 2014, about 146,000 students at Indiana University had their information, including social security numbers, exposed.  This wasn't a hack, but it was a data breach.  Here's the difference: a hack is someone trying to access information that's specifically been made unavailable to them.  It's the online equivalent of breaking and entering.  A data breach can certainly be a hack, but it's larger than that.  It includes accidental releases of info.  Here, the data was exposed because it was stored on an unencrypted area.  Search engines gathered the information (because that's what search engines do), and gained access to 146,000 student's records.  This info should have been encrypted and it's pretty easy to lay the blame on the university for not encrypting an area that should have been encrypted.

When I said above that a hack was the online equivalent of breaking and entering, this data breach was more like a person walking through a public area of a government building, picking up brochures.  Only, someone made a mistake and put confidential info into the brochure racks.  The person who got the information wasn't necessarily acting nefariously- they collected random info that they were told was available for them to collect.  But that info shouldn't have been in that rack for them to collect.

References:

 Wang, Stephanie. "Data Breach at Indiana U May Have Exposed Student SSNs." USA Today. Gannett, 26 Feb. 2014. Web. 12 Oct. 2015. <http://www.usatoday.com/story/news/nation/2014/02/26/indiana-university-data-breach/5830685/>. 

Beautiful interactive hack infographic- Week 6

This week, I wanted to step away from the topic of individual hacks and look at it from a higher level.  I discovered a website called "InformationIsBeautiful.net" that includes visualizations of lots of different kinds of data.  But there was one particular timeline of hacks that was especially good, and useful for the theme of this blog.  This timeline provides information about different hacks that have occurred.  It says when the hack occurred, gives a bit of information about the hack, compares it in size to other hacks, and even provides a link to an outside report where one can discover more information about that particular hack.  The thing I like best is that you can sort by industry and the method of leak.  For example, with only two clicks, I can easily discover that there was only one hack involving the retail industry that was an inside job.

This infographic has a lot of information, but it's presented in a really simple, uncomplicated manner.  By sorting different features, someone is able to parse what their particular industry should be most concerned about.

I think it's rare to stumble across information that presents so much in a very intuitive way.  Often, the more data that's included, the more complicated the site or graphic gets.  Being able to filter out the noise and present the information so simply is a definite boon to an information security professional.

References:

 Ideas, issues, knowledge, data - visualized! (n.d.). Retrieved October 5, 2015, from http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/