The Experian/T-Mobile hack may be more worrisome than Experian’s carefully worded description of it suggests, some security experts said Friday.
I asked Goldschlag a simple question: “After the Office of Personnel Management and Experian hacks, is there reason to fear that hackers now have the means to steal actual financial information (credit card numbers, etc.) from banks or insurers?”
Goldschlag didn’t answer the question directly, but his answer was disturbing.
“Experian differentiated between personally identifying information that was not stored encrypted, and credit card info which was stored encrypted — both were hacked,” Goldschlag wrote in a note to VentureBeat.
“Experian added that it is likely that the hackers were able to decrypt the encrypted information too,” he said. (Experian’s CEO admitted this.) “So storing information in an encrypted form may not be the panacea that people expect.”
He explained, “Experian had a reason to have the credit card info, perhaps to check account balances, and that means that Experian has systems and applications that decrypt the encrypted information. If the hackers stole information using those systems, then the hackers would see the decrypted credit card numbers.”
Indeed, if the hackers were able to decrypt the data, it paints a very different picture of the attack and its implications. “If the encrypted data was compromised, that would indicate a very effective and broad compromise of Experian’s network, most likely due to compromised administrator credentials of some kind,” said Trend Micro’s Christopher Budd in a statement.
Goldschlag believes better authentication is key to reducing vulnerability to hackers and other security threats. Basic authentication techniques are commonly used to protect banking information, but the recent large-scale breaches at Ashley Madison, the Office of Personnel Management, and Experian show that certain types of information require a greater level of authentication as a form of defense.
Back in 2012, hackers gained access to the Experian servers by stealing the account credentials from a Texas bank. It’s possible that hackers gained access to the Experian server by stealing a T-Mobile account holder’s credentials.
“The Experian breach is yet another example of a company being affected by one of its third-party vendors,” said Trend Micro’s Budd. “This situation is similar to the Heartland Payment Systems breach and further reiterates how companies responsible for processing financial information continue to be a weak link in the chain.”
On Experian’s Q&A page it says the following about the exposure of credit card data: “There were no credit card numbers or account numbers contained in the file accessed, based on our investigation to date.”
One security firm said it’s already spotted advertisements for the sale of the stolen T-Mobile data on the Dark Web.
Only time will tell how much data from the Experian hack eventually makes it into the hands of identity thieves, and what damage they do with it.