cyber tuesday logo smaller

“It’s like hearing your bodyguard was robbed outside your front door.”  That wonderfully graphic description captures the reality of learning that hackers stole personal information belonging to about 15 million T-Mobile wireless customers and potential customers in the U.S., including Social Security numbers, home addresses, birthdates and other personal information from credit reporting agency Experian.

Reports indicate the data stolen includes Social Security numbers, home addresses, birthdates and other personal information. Obviously the loss of the personally identifiable information, or PII, will tarnish T-Mobile’s relationship with current and prospective customers, and some analysts are questioning whether T-Mobile had looked into how Experian would protect the data it was given. But there is a widespread presumption that some players in our complex financial system are extremely capable of protecting their data. The bigger issue here may stem from what the hack does to challenge that assumption, and what it tells us about the ability of a leading credit reporting agency to protect the data it collects.

Avivah Litan, vice president of technology advisory firm, Gartner, was quoted in American Banker as saying the breach would really hurt Experian, and would have implications for the role of credit bureaus in banks’ underwriting.  “The No. 1 fraud issue for banks and other companies is new-account opening and identity verification. More identities have been compromised than haven’t. I’m on the phone every day with clients about identity proofing, because credit bureau data is what you use for identity proofing.”

The Experian breach is lending traction to the belief that it is unwise to use personally identifiable information to verify customers anymore.”PII data has become completely unreliable,” Litan said. “People are still using it because there’s nothing else easy to use around, but they’re weaning off of it.”

Think about it. We can’t trust personally identifiable information to identify a person. That’s positively Orwellian.  But if true, what might we use? Look no further than Estonia to see the future. (That’s right, Estonia).


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

October 6, 2015