The consequences of 15m customer records for sale could be far larger than just financial theft – watch out for your health data
It’s easy to dismiss the recent theft of 15m T-Mobile customers’ personal data from credit checking organisation Experian’s servers, and turn away. After all, large scale data theft is becoming almost commonplace now. Just recently, the US government’s personnel office was hacked, leaking the highly personal information of 22m government employees.
But records stolen from the servers of credit bureau Experian are already showing up for sale on the dark web, alleges Irish security startup Trustev.
“This morning they saw listings go up for “FULLZ” data that matches the same types of information that just came out of the Experian hack,” the security firm’s spokesperson wrote in an email to tech website VentureBeat.
“Fullz” is a slang term used by hackers and data brokers to refer to a full package of an individual’s personal identifying information. Such data sets typically include an individual’s name, social security number, birth date, account numbers, and other data.
This matches exactly the data stolen from Experian last week: for each of 15m people who applied for a T-Mobile contract between September 1, 2013 and September 16, 2015, data accessed by hackers included their name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T- Mobile’s own credit assessment (the nature of this information remains undisclosed).
Experian said no payment card or banking information was obtained – but that’s not necessarily the most sensitive data that you own.
Experian is more than just a credit-checking agency, it is also one of the world’s largest data brokers – companies that track, collect and compile realms of personalised data about individuals around the world and package it as a saleable product for the highest bidder.
Customers for this sort of anonymised but ultra-accurate personal data package range from retailers to employers, hospitals, universities and insurance companies.
The danger here is not just identity theft (although that will be straightforward with the type and sensitivity of the data stolen from Experian) – there is also the possibility that this could be cross-referenced with more sensitive datasets like health records or genetic information, which usually don’t have names attached to them.
In the UK, for instance the NHS has a “pseudonymised” set of records called the Hospital Episode Statistics (HES) database that it shares with commercial organisations, including Experian. This contains every instance of a patient in England using a hospital-based service since 2001, covering 47 million patients, identified by date of birth, gender and address – but not name.
If a hacker can gain access to these health records, or any anonymised health datasets made available to commercial and academic research organisations, they can easily cross-reference the date of birth or address records from, say, the T-Mobile dataset (which does contain names), and find a person’s entire health record within minutes.
The result of having your health or genetic data stolen has far more wide-ranging consequences than your financial identity, starting with simple blackmail. And it is also irreversible and permanent, unlike your financial data.
The theft of T-Mobile’s customer details is not the first time hackers have hit a data broker – after all they are centralized founts of personal information, gathered from diverse sources ranging from credit card purchases to public voter registration records. Experian itself was hacked by a Vietnamese identity theft service, which stole more than 200 million customers’ data just last year. And the year before, hackers hit credit agency Equifax and tried to sell the credit history data of celebrities, politicians, and even first lady Michelle Obama.