The theft of 15 million sets of T-Mobile customer data following a breach at credit agency Experian demonstrates that encrypting data isn’t a “panacea” for keeping information secure from hackers, David Goldschlag, co-creator of the Tor secure browser, has warned.
Hackers stole details including names, birth dates, social security information including drivers’ licences and passport numbers of T-Mobile customers from Experian.
The incident represents the latest in a line of high-profile security breaches at organisations ranging from adulterous dating website Ashley Madison, to the US government’s Office of Personal Management.
But while Experian is thought to have encrypted some data, Goldschlag told VentureBeat that the incident shows how encrypting data isn’t a cure-all, as hackers can get around it.
“Experian differentiated between personally identifying information that was not stored encrypted, and credit card info which was stored encrypted – both were hacked,” he said.
“It is likely that the hackers were able to decrypt the encrypted information too. So storing information in an encrypted form may not be the panacea that people expect,” he warned.
The reason cyber criminals might have been able to steal encrypted data is because they managed to break into the very Experian systems designed for keeping that specific information encrypted and safe.
“Experian had a reason to have the credit card info, perhaps to check account balances. And that means that Experian has systems and applications that decrypt the encrypted information,” he said.
“If the hackers stole information using those systems, then the hackers would see the decrypted credit card numbers,” Goldschlag added.
Fred Kost, senior vice president at “cloud control” firm HyTrust, said the Experian data breach and theft of T-Mobile customer data demonstrates the risks of using a third party to hold sensitive data.
“The breach at Experian that compromised T-Mobile customer data is a great example of the risks that arise when one organisation’s data is in another’s control. This can happen with outsourcing arrangements or even the use of cloud-hosted data,” he said.
“If companies do not ask about, and require, details about the protection of their data – including the use of encryption, monitoring and enforcement of access policies, and key management – it’s not a question of ‘if’ they will find themselves in the same position as T-Mobile in the future,” Kost added, suggesting companies storing data in this way will suffer the consequences.
Despite the data breach, Experian remains confident that hackers haven’t accessed T-Mobile customer credit card or banking data.
“There were no credit card numbers or account numbers contained in the file accessed, based on our investigation to date. However it is always a good practice to monitor your credit card activity,” the company said.
However, security firm Trustev claims that T-Mobile customer data stolen in the Experian data breach is already for sale on the Dark Web.
“This morning they saw listings go up for ‘FULLZ’ data that matches the same types of information that just came out of the Experian hack,” the company said in a statement.
“FULLZ” is a term used within the hacker community to describe a full package of an individual’s personal information, including name, date of birth, account numbers and other data.