Last Thursday, John Legere, the C.E.O. of T-Mobile, joined the ranks of the dozens of chief executives who, in the past few years, have had to inform their customers that their personal information has been stolen. “One of our vendors, Experian, experienced a data breach,” Legere tweeted, referring to a Dublin-based credit bureau that his company uses to collect, store, and secure customers’ personal information. Experian explained the details on its Web site:
As one of the fifteen million people who applied for T-Mobile USA’s post-paid services during that period, I was particularly aghast to learn about this breach. T-Mobile USA has, in the past two and a half years, been selling itself as an “uncarrier,” dedicated to upending the telecom industry’s status quo by offering simpler, cheaper, and more intelligible plans. I’d bought into this spin, and believed that it was the way forward for the industry.
Although no financial information was stolen in the T-Mobile breach, the completeness of the data that was acquired is akin to a Lego set for an identity thief. The fraudsters can set up new lines of credit or file for phony tax refunds in our names, and there isn’t much we can do about it. The cybersecurity consultant Bryan Seely told the Seattle Times that, on a scale of one to ten, this breach rates a seven, because it included fifteen million Social Security numbers, along with names and addresses. “When Target had a breach, people were reissued cards. You can’t reissue Socials that easily,” he said. Over the weekend, the e-commerce security firm Trustev claimed that it had found data sets from the Experian hack for sale on the dark Web.
In his note, Legere directed customers to sign up for two years of free credit monitoring and “identity resolution” from a service owned by Experian—which had done such a stellar job of protecting our data in the first place. (Following a social-media outcry, which I participated in, Experian began to offer other options.)
By now, we’re familiar with this pattern: a company discloses a data theft, executives express grave concern, and customers are left to reset their passwords and sign up for free data protection, feeling all the while like data piñatas. The nonprofit Identity Theft Resource Center counted nearly eight hundred breaches last year, more than a third of which targeted businesses (the rest were aimed at various medical, educational, and government entities). The organization has recorded nearly six hundred this year, not including last week’s trifecta of T-Mobile, Scottstrade, and Trump Hotels. Add to this mix the crowdfunding site Patreon, which allegedly ignored warnings about its security holes.
An offer of a credit-watching service in the wake of a hack is sort of like getting an alert after a fire has burned down your house. Moreover, in a recent blog post, Brian Krebs, of Krebs on Security, wrote, “Identity protection services like those offered by CSID, Experian and others do little to block identity theft: The most you can hope for from these services is that they will notify you after crooks have opened a new line of credit in your name. Where these services do excel is in helping with the time-consuming and expensive process of cleaning up your credit report with the major credit reporting agencies.”
Citizens often talk about the need for security and privacy, but we’ve proved mostly unwilling to hold the data leakers accountable. This isn’t the first time Experian has been accused of slipshod practices. As Krebs wrote in an earlier post, the company was recently sued because “it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves.” (Experian contests the plaintiffs’ allegations.)
Companies that fail to secure customer data are able to do so in part because they know that the penalties are generally low; they can continue to make money while being protected by the sluggishness of legislative bodies. Though the F.T.C. and F.C.C. can investigate and punish some data-security breakdowns, and nearly every state has some form of notification law in place in the event of data theft, these patchwork measures have proved unable to slow the pace of breaches. Federal legislation put forth by various Congressional leaders to improve things has either failed or stalled; President Obama’s proposed Personal Data Notification and Protection Act, which he announced in January and is currently in committee in the House, would standardize reporting requirements across states, but even these modest measures have been criticized.
Systems that genuinely protect data do exist, but more often than not companies have not made upgrades to their hardware and software infrastructures that would allow them to prevent breaches, detect them when they occur, and limit damage. The relevant practices might include robust data encryption; two-factor authentication for customers and employees; the virtualization of networks at all levels, including applications and data; and adequate monitoring, so that breaches can be addressed quickly.
While it can be costly for businesses to put such systems in place, the pervasive failure to do so is harming the economy broadly. In a report released in September, the Atlantic Council and Zurich Insurance Group predicted that, in one scenario, while the benefits of cyber technology will lead to about an eight-per-cent increase in global G.D.P. between 2010 and 2030 (an amount equivalent to roughly a hundred and sixty trillion dollars), somewhere around 2019 the costs will start to outweigh the benefits, thanks to increased security risks to the infrastructure. (In the United States and Europe, the report found, the annual costs of protecting data systems “already outpace the benefits of connectivity.”) The report argues that, in a worst-case scenario, the missed opportunities will add up to as much as ninety trillion dollars in unrealized global growth.
I take such large numbers from companies with vested interests—Zurich is an insurance giant—with a pinch of salt. However, the larger point that security breaches do real damage not just to consumers but to economies is worth considering. And it’s worth consideration not only by consumers but by governments, which ought to be putting in place proper penalties for data breaches caused by negligent security practices, and enforcing them to the fullest—not to mention setting a better example with their own security practices. Eight hundred breaches in one year is a pretty good indication that the status quo isn’t working.
