The text message I was especially uninterested in receiving hit my phone Sunday morning. “T-Mobile has determined that unauthorized access to some business and/ or personal information related to your T-Mobile business account has occurred,” it read. “This may include SSN, names, addresses, phone numbers and dates of birth.”
T-Mobile’s texted non-apology for a data breach affecting tens of millions of subscribers went on to note that “we have NO information that indicates your business or personal financial/ payment information were accessed,” as if those data points were the ones I couldn’t reset with a phone call or three.
Instead, I got to spend part of an evening at the sites of the three major credit bureaus to freeze my credit, just in case any recipient of the stolen T-Mobile data was going to try to go to town on my data. In the exceedingly-likely event that you, too, will have to clean up after a corporation’s carelessness with your data, here’s how that went down.
At Experian, at least I didn’t have to clutter my password manager with another saved login. After providing my name, address, complete Social Security Number, birth date and e-mail, the site asked me to verify my identity by answering a personal-data pop quiz (for example, picking previous cities of residence or a cost range for my monthly mortgage payment). After passing that test and starting the credit freeze, Experian generated a 10-digit PIN I could use for subsequent access.
Things were not quite as easy at TransUnion. I had to create an account and provide almost as much personal information as Experian demanded, except that TransUnion only required the last four digits of my SSN. On the other hand, the sign-up workflow included a tacky invitation to sign up for marketing spam: “Please send me helpful tips & news about my service, including special offers from TransUnion and trusted partners!” The site asked me to pick a security question from a preset menu, none of which would have been too difficult for a stranger to research had I answered them truthfully, and then verify my identity in another personal-data quiz.
The company that had itself lost my data before, Equifax, offered the easiest on-ramp. After coughing up another mouthful of personal data–including my full SSN as well as a mobile number–I was able to create an account and, after clicking through a link sent in an account-confirmation e-mail, put a freeze in place. I did not have vouch for my identity by picking a ballpark figure for my mortgage payment or identifying a phone number I’d used before… and I’m not sure that’s a good thing.
I do know it’s not a good thing that T-Mobile kept information like Social Security Numbers that it could not have needed after checking my credit–a failure its apologies have yet to acknowledge. Firing them for that data hoarding, compounded by weak security, might offer a certain emotional closure. But I have no reason to think that switching to AT&T or Verizon and then handing over the same personal data wouldn’t open me to the same risk, because I’m struggling to see anybody at the giant telcos who gives a shit about data minimization.
Companies that cause problems like this ought to supply the victims with a decade of credit monitoring and pay $100 per victim fine. That is less than what you or I pay for a DC speed cam!
Because of the Equifax data breach (and the continuing general porosity of the credit reporting bureaus’ “we only sell data to legitimate businesses” *wink* *wink* *nudge* *nudge* processes), the processes that you went through to establish your proof of identity in order to be able to freeze your credit files are processes that could be used by any directed criminal to do the same. The credit reporting bureaus continue to be inadequately controlled by law, regulation, and regulatory action.
The huge question is: Why hadn’t you frozen your credit files years earlier? (n.b. “frozen”, not “locked”. “Lock” is a marketing term that these same guilty credit bureaus use in their for-sale products as a way of getting the consumers who they harm to pay them to NOT really freeze their credit files, which law requires to be free, and which is more effective than the paid “lock”s).
Pingback: Android 12 early impressions: improvement via imprecision | Rob Pegoraro
Pingback: Weekly output: 5G IoT security worries, Big Ten carriage deals, House of the Dragon streaming glitches, Netflix + ads, Russian digital attacks on Ukraine, YouTube TV, Thursday Night Football, Xfinity Mobile, NBC Sports Washington, non-TV video viewing, Pl