If you haven't heard, there was yet another massive data breach at a large company: Experian, the credit service used by T-Mobile. This breach included Social Security numbers for up to 15 million T-Mobile customers, and that's very bad.
I was hesitant about admitting this in a post, because I'm egomaniacally afraid of hackers targeting me personally, but I'm a T-Mobile customer and my data was included in the breach.
That means my Social Security number will almost certainly hit the black market soon, probably for about $3, coupled with my name.
The first thing security experts will warn you about having your Social Security number stolen is the threat of having someone take out loans and open new credit cards in your name. The less obvious gambit is filing a false tax return.
I'm actually not worried about those things. It's possible to set up a fraud alert or credit freeze with the three credit bureaus to prevent the first two scenarios, and you can call the IRS and file early to guard against the second.
I'm worried about all the companies that use my Social Security number as authentication. You know, like when you call the bank, and they say is this really you, and you say yes of course, and they say what's your address (included in the breach) and what are the last four digits of your Social (included in the breach), and then they say, fantastic, how may I help you? Except this time it's a thief.
If T-Mobile can't guarantee my Social Security number's safety, it shouldn't ask for it
The scariest thing is, I don't know how many accounts could be compromised with this tactic. Or whether an identity thief could leapfrog around, picking up a new piece of information here, another piece there, cracking all my logins for forums, student loans, health insurance, chat apps, Etsy, Apple.com. Pretty soon they'd be more me than me.
T-Mobile has made a point of reinforcing the idea that this breach was not its fault because the data was stolen from a vendor, Experian, that processes its credit checks. "Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian," CEO John Legere wrote in a letter to customers. "It is very important for you to know that this was a breach of Experian's server, and did not impact T-Mobile's network or our systems," a representative told me in a Twitter message.
Unfortunately for T-Mobile, it's the one that has to answer to customers. Customers didn't entrust their data to Experian; they entrusted it to T-Mobile. When I gave T-Mobile my Social Security number (a ridiculous ask anyway), the understanding was that T-Mobile would keep it secret. T-Mobile understands that a Social Security number is a valuable thing to be entrusted with.
Usually when someone gives you something valuable, you take extra care not to lose it, or drop it in the toilet, or spill red wine on it, or hand it over to a third party without ensuring that that third party would protect it from hackers. And that's where T-Mobile failed.
T-Mobile should have done a security audit on its partner, even setting aside the fact that Experian has had data breaches in the past. Mega-data breaches have been hitting big companies for long enough now that most should realize that they are a danger. And if T-Mobile can't guarantee my Social Security number's safety, it shouldn't ask for it (a ridiculous and unfortunately ubiquitous requirement).
LinkedIn, Anthem, Target, Experian. It was bound to happen to me one day. (It's happened to me before, but my Social Security number was not included in the breach.) At this point, the only thing that will help me is if everyone else's Social Security number gets leaked in some breach or another so that we stop treating them as if they're secret.
There are 15 million people whose identities may soon be hijacked. Props to T-Mobile for fielding some of the customer service inquiries (although a press inquiry was not answered) but I hope this sets a precedent for all companies that ask for Social Security numbers and other sensitive data: We trusted you.