Lessons from the Experian hack

Experian breach is more than just another hack as cross referencing of data sets opens up even more scope for ciminal activity says Max Vetter

Lessons from the Experian hack
Lessons from the Experian hack

The recent theft of 15 million T-Mobile customers' personal data from credit checking organisation Experian's servers could easily be dismissed as just another hack hitting our headlines almost every day. However, just days later, the stolen data was reportedly already showing up for sale on the dark web.

For each of the 15 million people who applied for a T-Mobile contract between September 1st 2013 and September 16th 2015, data accessed by the hackers included their name, address, Social Security number, date-of-birth, identification number (eg driving license information), and additional information used in T-Mobile's own credit assessment.

Like previous hacking data dumps such as Ashley Madison, Target and JPMorgan, the issues for those dealing with exposed data range from worries of password protection and phishing to fraud and identity theft. However, the danger here could be much more severe. There is the possibility that the data could be cross-referenced with more sensitive datasets like health records or genetic information.

In the UK, for example the NHS has a set of records called the Hospital Episode Statistics (HES) database that it shares with many commercial organisations, including Experian. The records contain every instance of a patient in England that has used a hospital-based service since 2001. It covers 47 million patients who are identified by date of birth, gender and address. Access to this information could allow a hacker to easily cross check the date of birth or address records with the T-Mobile data leak, (which contains names) and find a person's entire health record within minutes. Thankfully, in the case of Experian, the records belong to American customers, but Experian has a global reach and conducts credit-checks and data broker businesses in the UK, so it's not an impossible scenario.

The additional issues for users could be similar to those suffered by the victims of the recent Ashley Madison hack where users were the subject of blackmail and extortion. Threatening emails asking for bitcoins from users reportedly did the rounds. Additionally this type of data breach is perfect ground for “social engineering” phishing attacks where a user could receive a seemingly innocent email, but when they open the attachment, they'll end up unwittingly infecting their own computer with malware.

No doubt Experian is now spending large amounts of money attempting to track down the hackers and bring them to justice. However, catching them will do little to mitigate the damage. Attempting to keep the business running should be the priority, which will be difficult now it has lost so much trust in light of the hack of T-Mobile's personal customer data.

What this episode shows is the power a motivated and advanced hacker group can have over the future of a company, especially one that relies on data and keeping that data secret as a business model.

There are already wider questions being asked about just how much data we give away to companies about ourselves, and how dangerous that can be given hackers' ability to easily gain access and expose it.

No matter what happens to Experian there will be even bigger hacks in the future exposing more user data. How little we care about terms and conditions with the mandatory “click to accept” rule has gone unchanged for a long time. Perhaps more hacks of this nature will convince us of what corporations and criminals have long known; our personal data is worth something and is important enough to hold onto.

Contributed by Max Vetter, cyber security trainer and analyst at QA

Max holds a BSc in Astrophysics and two MSc's in Communication Systems and Signal Processing and Countering Organised Crime and Terrorism. Max worked in both the private and public sector for 10 years as an intelligence analyst, Covert Internet Investigator and trainer in Open Source Intelligence. Max is a specialist in Covert Internet Investigations, the Dark Web and Cyber Threats.