With data breaches occurring on a regular basis—up to 7 percent of the American population had personal information stolen this year in the hack on the Office of Personnel Management (OPM)—it’s important to stay vigilant. It’s better to be cautious than ignore a loss of personal data and find yourself the victim of identity theft.
If you’re a T-Mobile customer, or tried to become one but got turned away because of your credit score, here’s what you need to know.
Who was affected?
A lot of people, unfortunately—around 15 million. If you applied for a regular T-Mobile USA postpaid plan or device financing between September 2013 and September 2015, then you are likely among those affected by the breach.
Experian provides consumer credit checks for thousands of companies on millions of consumers. The company indicated in a press release this week that it took immediate action and secured its servers, but forensic analysis of an intrusion takes time. If you’ve used Experian at all in the past couple of years, you should check back for updates on a regular basis.
What was stolen?
According to Experian, the data acquired by the hackers includes names, dates of birth, addresses, and Social Security numbers (or an alternative form of ID, like a drivers license or passport), as well as T-Mobile’s own credit assessment.
No credit card or bank account information was compromised, according to the company.
The Social Security numbers and alternative ID information was supposedly encrypted, likely using bcrypt or MD5 hash function, which scramble the data into an unusable form. These measures are effective at slowing hackers down and will conceal the numbers if Experian’s data is dumped onto the Web. But with enough time and patience, and the right brute-force software, they can be defeated.
Who is responsible?
No information about the perpetrators has been released so far. Based on the type of information stolen, it’s likely that the individual or group responsible is interested in either trying to scam consumers directly or selling the dataset to others looking to do the same.
Identity theft is the primary concern, but the stolen data could also be used to acquire additional personal information from consumers by a malicious persons posing as an Experian or T-Mobile employee. It’s important to remember that neither Experian nor T-Mobile will contact you directly and ask for personal information in connection with the hack. But a smart identity thief would likely pose as someone else entirely so as not to draw your suspicion.
You should always be suspicious of anyone who contacts you by email or phone and asks you to “verify your identity” by giving them some personal information. They may repeat a few personal details about you first in attempt to throw you off guard. You should always hang up the phone and contact the company directly yourself to verify that the person who called is an official customer representative and not an identity thief.
What can I do to protect myself?
If you applied for device financing or for T-Mobile’s USA postpaid services between Sept. 1, 2013, and Sept. 16, 2015, you can enroll in free identity resolution services at this site: ProtectMyID.
Experian says no financial information was stolen during the breach, which is good; but if you want to stay on top of things, most banks offer apps that will monitor your checking and savings accounts. You should also be able to set limits on how much money is withdrawn each day or get notifications or request text approvals if someone tries to withdraw an above-average amount from one of your accounts. These are all sound security measures you should have set up anyway, so it can’t hurt to start now.
There is always a chance that the information could—somehow—enable a hacker to gain access to other types of accounts, such as social media or email. There are two basic tools you should always use to protect your accounts: two-factor authentication and a password manager.
Two-factor authentication is available for almost every online service these days. If you’re using a service that doesn’t offer it, you should consider quitting that service and finding another. Two-factor authentication, or “2fa” for short, will send a text message to your phone containing a unique code whenever someone tries to login to your account. You will need this code to complete a login.
Remember: If a “customer service agent” asks you to provide them with a 2fa code sent to your phone, it is almost definitely someone trying to break into your account.
A password manager, such as LastPass, will allow you to generate a totally randomized password up to 100 characters in length. You’ll need only to remember a master passphrase, which should be selected following some basic guidelines: a unique phrase that contains numbers, symbols, capital letters, and no personal information is a good place to start (i.e. [email protected]@$5%T0z3P0^d). You should change your master passphrase on at least a biweekly basis.
LastPass offers a mobile app, a desktop app, and a browser plug-in for convenience. You should also enable two-factor authentication for LastPass.
Photo by Mtaylor848/Wikimeida Commons (CC BY SA 3.0)