Mobile phone and cell provider T-Mobile, the fourth-largest cell provider in the United States, reported today that the social security numbers, birthdays, addresses, and other personal information of 15 million of its customers were stolen by hackers. The attack was pulled off not against T-Mobile directly but against a T-Mobile partner named Experian, which performs credit checks for new T-Mobile customers. T-Mobile indicated that no payment information had been stolen.
Corporate cyber attacks against large corporations often target those companies’ partners rather than the enterprise itself. Late last year, Target, which depends on perhaps hundreds of smaller firms to provide a variety of services, reported that the massive breach against them most likely arose because of lax security controls at one such partner. The same fate has now befallen T-Mobile.
The usual aphorism about weakness applies just as well to cyber security as it does to any other pursuit: cyber defense is only as strong as the weakest link. Large companies that depend on services provided by smaller ones need to investigate the cyber security practices of those firms thoroughly. They should establish rigorous certification programs that ask their partners to demonstrate clearly that their processes follow best practices in cyber security. These firms need to demonstrate compliance with HIPPA, SOX, PCI, or whatever set of regulations pertain to the industry in which they work. But it is also important for firms to go beyond these industry-standard regulations and create standards and compliance programs specific to their own enterprise. In this way, large corporations can verify that the service providers on which they depend operate information systems that mesh securely with their own, and that these subsidiaries treat their customers’ data with as high a level of care as they do.
When a company like Experian fails, it is T-Mobile that suffers the greater damage, because they must work to compensate, protect, and win back the millions of customers that could be hurt by this incident. Obviously, though, the customers are the ones who may end up hurting the most. A number of services have been introduced recently to help people recover from identify theft, including IdentityGuard and LifeLock. These kinds of services, which provide customers additional protection against having their personal records stolen through proactive monitoring as well as insurance for when such records are stolen, are becoming increasingly popular. These services can be costly, but the additional protections they provide can prove invaluable.
Ultimately, personal identification is going to have to move away from simply things one knows to things one is. Combining biometric information, such as retinal scans or fingerprints, with traditional data points such as social security numbers, will ensure that simply possessing data about a victim doesn’t empower an attacker to take over that person’s life. Biometric measures are still expensive to capture, store, and integrate into the numerous processes for which they should be used, but we need to begin moving in that direction if we want to minimize the damage caused by inevitable future attacks like the one against T-Mobile.
As we begin National Cyber Security Awareness Month, we are reminded of just how vulnerable our identities are, and we are challenged to take the necessary steps to protect them. We stakeholders – individuals and the organizations we operate and support – have a lot to lose if we don’t start taking common-sense – but, no doubt, expensive and technically challenging – measures to make it harder for the bad guys to steal our lives. It is certainly worth the extra effort and expense.