Approximately one-third of successful cyber attacks are accomplished via the compromise of an insecure vendor. This is, to use a technical term, absolutely nuts. Imagine that you’re a large company. You’re doing everything right, in terms of information security. You’ve got three kinds of firewalls, a stable of well-paid analysts, and all of your critical systems are patched. Then, you get hacked anyway because a vendor logs into a secure system with malware on their computer.
Most of the time, at least in the popular imagination, vendor-related breaches occur not because your corporate partner is insecure, but because they literally don’t know what security is. In the case of the Target breach, customer data was compromised because of an HVAC partner who ensured the security of their company with free software designed for home computers. In terms of security incompetence, the only thing dumber than that would be replacing your firewall with a literal wall of fire. But I digress.
In the case of the recent T-Mobile hack, 15 million customer records (including encrypted social security numbers that may have been hacked) were taken… from Experian. Last year, Experian had revenues of nearly $5 billion. That’s definitely enough money to hire a competent security team. T-Mobile, in turn has revenues of nearly $30 billion. How is it that giant companies, using large, well-secured vendors, are still vulnerable to vendor-based attacks?
Tempting Target
Experian is a data broker. As such, much of the world’s collective credit information goes through its coffers. The particular data stolen from T-Mobile customers include, “a name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T-Mobile’s own credit assessment.” This kind of information is candy for credit fraudsters. Although you can’t go as far as making purchases using a stolen credit card (as no credit card data was stolen), you can certainly go about applying for a new card, opening up new lines of credit, and applying for fake tax returns—stuff that is in many ways harder to detect. If someone opened up a new credit card in your name, would you know?
Not only is Experian a tempting target, simply by dint of it storing so much info, but it has actually been hacked before. Well, I say “hacked,” but in reality, what transpired was embarrassingly non-technical. For 14 months, from 2012 to 2013, a Vietnamese man named Hieu Minh Ngo posed as a private investigator in order to gain access to Experian records, then re-sold this data to the black market. He was able to keep up this ruse, even in the face of extremely shady business dealings such as paying for data access using cash wire transfers from Singapore. In the end, Experian was hit with a class action lawsuit for failing to notify fraud victims in a timely manner.
In the case of the T-Mobile hack, Experian’s seemingly high level of unpreparedness might have clued in hackers to the presence of a digital vulnerability.
Blind Acquisition
As it happens, Experian inherited its 2012 hack from another company. The individual posing as a private investigator didn’t hack Experian directly. Rather, Experian purchased a small company named Court Ventures. It was Court Ventures who was being conned by Hieu Minh Ngo, and when Experian purchased Court Ventures, they also purchased a hacking problem. Funnily enough, their most recent hacking problem involved the same sort of mishap.
According to information obtained by Brian Krebs, Experian purchased another company, known as Decisioning Solutions, in 2013. This company was subsequently made into a part of Experian’s global credit monitoring platform, Decision Analytics. According to Krebs, the support system to Decision Analytics is so totally borked that anyone with the right URL can just go in and view any and all tickets issued to the Decision Analytics support platform. Anyone who manipulated that URL just a little could go ahead and view, “specific names of network shares, usernames, userIDs, and LanIDs, as well as email addresses, phone numbers of Experian personnel,” across the many dozens of companies that make up the Experian mothership.
Essentially, Experian purchased a company whose software systems were so broken that they offered a wide-open door for anyone seeking to cause mischief within their confidential systems.
A Total Lack of Due Diligence
To summarize, Experian has made consistently horrible choices in dealing with its various acquisitions. When it comes to information security, appropriately vetting your corporate acquisitions is just as important as vetting your vendors. Without this vetting process in place, you can run afoul of two scenarios. In the first instance, you might end up purchasing a company that is so incompetent at security that it’s already been hacked and didn’t know it. In the second instance, you might end up owning a company whose product is so completely incompatible with your own security infrastructure that it’s impossible to defend it.
In the case of the two hacking incidents covered in this article, it looks like Experian has committed both of these cardinal information security sins.