The text message I was especially uninterested in receiving hit my phone Sunday morning. “T-Mobile has determined that unauthorized access to some business and/ or personal information related to your T-Mobile business account has occurred,” it read. “This may include SSN, names, addresses, phone numbers and dates of birth.”
T-Mobile’s texted non-apology for a data breach affecting tens of millions of subscribers went on to note that “we have NO information that indicates your business or personal financial/ payment information were accessed,” as if those data points were the ones I couldn’t reset with a phone call or three.
Instead, I got to spend part of an evening at the sites of the three major credit bureaus to freeze my credit, just in case any recipient of the stolen T-Mobile data was going to try to go to town on my data. In the exceedingly-likely event that you, too, will have to clean up after a corporation’s carelessness with your data, here’s how that went down.
At Experian, at least I didn’t have to clutter my password manager with another saved login. After providing my name, address, complete Social Security Number, birth date and e-mail, the site asked me to verify my identity by answering a personal-data pop quiz (for example, picking previous cities of residence or a cost range for my monthly mortgage payment). After passing that test and starting the credit freeze, Experian generated a 10-digit PIN I could use for subsequent access.
Things were not quite as easy at TransUnion. I had to create an account and provide almost as much personal information as Experian demanded, except that TransUnion only required the last four digits of my SSN. On the other hand, the sign-up workflow included a tacky invitation to sign up for marketing spam: “Please send me helpful tips & news about my service, including special offers from TransUnion and trusted partners!” The site asked me to pick a security question from a preset menu, none of which would have been too difficult for a stranger to research had I answered them truthfully, and then verify my identity in another personal-data quiz.
The company that had itself lost my data before, Equifax, offered the easiest on-ramp. After coughing up another mouthful of personal data–including my full SSN as well as a mobile number–I was able to create an account and, after clicking through a link sent in an account-confirmation e-mail, put a freeze in place. I did not have vouch for my identity by picking a ballpark figure for my mortgage payment or identifying a phone number I’d used before… and I’m not sure that’s a good thing.
I do know it’s not a good thing that T-Mobile kept information like Social Security Numbers that it could not have needed after checking my credit–a failure its apologies have yet to acknowledge. Firing them for that data hoarding, compounded by weak security, might offer a certain emotional closure. But I have no reason to think that switching to AT&T or Verizon and then handing over the same personal data wouldn’t open me to the same risk, because I’m struggling to see anybody at the giant telcos who gives a shit about data minimization.