oct 2, 2015 - T-Mobile:15 million user info leaked

Description:

T-Mobile uses Experian to process its credit applications. Experian Plc (EXPN.L), the world's biggest consumer credit monitoring firm disclosed a massive data breach that exposed sensitive personal data of some 15 million people who applied for service with T-Mobile US Inc.

Experian explained the details on its Web site:

The unauthorized access was in an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services or products, which require a credit check, from Sept. 1, 2013 through Sept. 16, 2015.


Brian Krebs reported in his blog that the Experian’s Decision Analysis credit information support portal allowed anyone to upload arbitrary file attachments of virtually any file type. Those experts said such file upload capabilities are notoriously easy for attackers to use to inject malicious files into databases and other computing environments, and that having such capability out in the open without at least first requiring users to supply valid username and password credentials is asking for trouble. Experian’s insecurity has dragged T-Mobile into its privacy scandal.

Lesson Learned: Bake security assessment as part of acquisition strategy. Also, do not open systems exposed to internet without any form of authentication.

Added to timeline:

Date: