The personal information of around 15 million people who applied for T-Mobile US' (NYSE:TMUS) services that was recently stolen is already showing up for sale on the dark Web, according to an online security firm.
According to VentureBeat, Irish fraud prevention startup Trustev, which monitors the sale of stolen customer data on illicit websites, has seen listings of data it believes originated from the Experian breach. VentureBeat received screen shots of the listings.
"This morning they saw listings go up for FULLZ data that matches the same types of information that just came out of the Experian hack," Trustev's spokesperson wrote in an email Friday.
"Fullz" is a slang term used by hackers and data brokers to refer to a full package of an individual's personal identifying information, according to VentureBeat. That grouping usually means the hacker has an individual's name, Social Security number, date of birth, account numbers and more.
The data that was hacked in the T-Mobile case included names, dates of birth, addresses and Social Security numbers and/or an alternative form of ID like a driver's license number, as well as additional information used in T-Mobile's own credit assessment. No payment card or banking information was acquired, the companies said.
"Once fraudsters get their hands on data, they typically unload it very quickly," the Trustev spokesperson told VentureBeat. "So like I said, it's not definitely T-Mobile/Experian, but it's extremely likely considering the type of data and timing."
"Although there is no evidence that the data has been used inappropriately, Experian strongly encourages affected consumers to enroll in the complimentary identity resolution services," Experian said last week when the breach was first disclosed.
T-Mobile representatives did not immediately respond to a request for comment.
Experian and T-Mobile said they are working to notify the affected customers, who will be eligible for two years of Experian's credit monitoring and identity resolution services. T-Mobile CEO John Legere, who expressed his vehement anger at the breach, said on Twitter on Saturday that he "confirmed Experian is now offering an alternate ID protection option. Enroll by contacting them." Legere then linked to an Experian document. Customers can call Experian to enroll in the ProtectMyID service "or the alternative identity protection product," Experian said, though it did not name the alternative product.
The data breach prompted Fight for the Future, a nonprofit advocacy group focused on Internet users' rights, to call for Experian CEO Brian Cassin to resign. "Experian CEO Brian Cassin has put the profits of his company above the well-being of his customers and our nation's cybersecurity. Why should Experian bother fixing their security when they can just lobby their way out of the messes they make?," Fight for the Future CTO Jeff Lyon told Consumer Affairs. "This type of thinking is putting millions of people at risk. Cassin should resign and companies like Experian and T Mobile should take responsibility for the safety their customers' data."
- see this VentureBeat article
- see this TMoNews article
- see this AP article
- see this Consumer Affairs article
T-Mobile data breach: Hacker steals names, birthdates, Social Security numbers and more from 15M people
Sprint says its network not at fault in hacking demonstration of Chrysler vehicles
Apple removes apps affected by 'XcodeGhost' malware after App Store is hacked
AT&T confirms data breach as hackers hunted for codes to unlock phones