Experian Breached; T-Mobile Customer's Loss

The last couple of days has seen yet another breach disclosure - this time it's Experian, and the primary victims are 15m T-Mobile customers in the US. It was interesting to note T-Mobile's CEO, John Legere, publicly responding to the breach and the effect on his customers. He's angry, and rightfully so. I'm sure there are a bunch of other credit bureaus now lining up to secure new business.

Some personal thoughts on the breach and it's effects:

• As is so often the trend now, professional hackers and cybercriminals are investing in the long game – stealthily taking control of a network and the data it contains over weeks, months and even years. Instead of opportunistic zero-day exploitation against lists of potential vulnerable targets, hackers carefully probe, infiltrate, and remove evidence of compromise against specific targets. Their end game is perpetual access to the target. The difference is as stark as killing the cow for today’s BBQ, or silently milking it for years.
• While many organizations now employ encryption and cryptographic techniques to protect personal customer data. Many of the techniques employed are dated and focus predominantly on a mix of data-at-rest protection (to combat theft of hard drives or backup cassettes) and SQL DB data dumps – threats that, while severe, are not common targets of prolonged infiltration and stealthy attackers. A critical failure of many of these legacy approaches to data encryption lies in key management. Access to the keys used to encrypt and decrypt the data is a primary target of todays hackers. Unfortunately organizations have great trouble finding secure methods of protecting those keys and still often operate at a level of obfuscation equivalent to leaving the keys under the doormat.
• The data stolen in this attack on Experian’s T-Mobile customers – which includes address details, date of birth, social security numbers, driver license numbers, and maybe passport numbers – is very valuable to cybercriminals. These aggregated personal details can reach as much as $200 per record on various underground forums and locations in the darknet. Stolen identities that include address, SSN, and drivers license details are commonly used in the creation of new online financial accounts – as the professional cybercriminals seek to launder other stolen monies from around the world.
• Constant vigilance is mandatory when it comes to combating professional cybercrime who are in for the long game. It is critically important that organizations continually probe, assess, and monitor all Internet accessible services and assets. Annual penetration testing and quarterly scans didn’t work against this class of threat a decade ago, they most certainly provide less protection and assurance today. Organizations need to be vulnerability scanning their web applications and infrastructure continuously on a 24x7 timetable, must deploy breach detection systems that monitor network and egress traffic, and practice incident response on a monthly basis.

I'm sure that new details will filter out over coming weeks and, if history is anything to go by, the odds are that the victim count will continue to grow.

-- Gunter