Today, according to WA State AG Bob Ferguson, about 330,000 Washington residents are among the 15 million people affected by the cyberattack on T-Mobile US data at credit-services company Experian. If you are a Washington State resident and victim of the T-Mobile/Experian data breach, please contact Catherine@Stritmatter.com. We are currently investigating a class action lawsuit against Experian.
WA AG Ferguson urges T-Mobile customers “…to take immediate steps to determine whether you have been a victim of ID theft, and to protect your information going forward,” he said in a statement offering advice to affected consumers.
According to T-Mobile and the credit-reporting company Experian, the breach compromised data that was used by T-Mobile to run credit checks of individuals who applied for T-Mobile services from Sept. 1, 2013, through Sept. 16, 2015. Unauthorized access was gained to Experian’s servers, exposing data including name, address, birthdate, Social Security number, other ID numbers (such as driver’s license, military ID, or passport numbers), and additional information used in T-Mobile’s credit assessment. An estimated 15 million consumers nationwide may have had their data compromised. Experian plans to notify affected consumers.
The Attorney General’s Office offers affected consumers the following advice to guard against identity theft.
- Monitor your credit reports. You are entitled to one free credit report every 12 months from each of the three nationwide credit bureaus (Equifax, Experian and Trans Union). You can request one free report from a different bureau every four months to monitor throughout the year.
- Consider placing a “fraud alert” with each of the three credit bureaus. An alert does not block potential new credit, but places a comment on your history. Creditors should contact you prior to opening a new account.
- Consider placing a “security freeze” with each of the three credit bureaus to prohibit the release of any information from your reports. A security freeze can help prevent identity theft since most businesses will not open credit accounts without checking a consumer’s credit history first. This increases the likelihood that if an ID thief tries to open a new account under your name, they will be denied.
- Beware of unsolicited calls or emails offering credit monitoring or identity theft services. Consumers should never provide their Social Security number, credit card numbers or other personal information in response to unsolicited emails or calls.
If you find unexplained activity on your credit reports, or if you believe you are the victim of identity theft, check these resources for information on steps you can take to protect yourself.
- Review the Attorney General’s ID theft website.
- Review the Federal Trade Commission’s ID theft website.
EARLIER THIS YEAR, news of massive data breaches of Premera and Anthem felt like a one-two punch to many of us focused on protecting consumers. I got a lot of questions from clients and other attorneys, including “What can I do to protect my identity?” and “Should I sign up for any of those ID theft guards like LifeLock?” My responses to these questions are not simple. We can learn to guard against ID theft by remaining vigilant about our credit reports, credit card statements, bank statements, and the like. Sure, if one wants to delegate this responsibility to a third-party, then be prepared for disappointment.
The story of LifeLock’s last several years is a great example of why it’s not wise to leave the security of our ID to a turn-key operator. Some are astounded to find that the company claiming to provide ID theft guard solutions to consumers and businesses have failed in some key respects according to the FTC.
Customers of ID theft-protection firm Lifelock who expected the company to monitor their identities after their data was stolen in a breach were in for a surprise. It turns out Lifelock failed to properly secure their data. Ugh.
According to a complaint filed in court in late July 2015 by the Federal Trade Commission, Lifelock has failed to adhere to a 2010 order and settlement that required the company to establish and maintain a comprehensive security program to protect sensitive personal data users entrust to the company as part of its identity-theft protection service.
Wow. What a strange twist of irony: After all, Lifelock touts its self as the solution to companies that experience data breaches and urges them to offer a complimentary Lifelock subscription to people whose data has been compromised in a breach. To properly monitor victims’ credit accounts to protect them against ID theft, Lifelock requires a wealth of sensitive data, including names and addresses, birth dates, Social Security numbers, and bank card information.
Protecting that data should be a primary concern to Lifelock, particularly in light of the fact that many of its customers have already been victims of a breach. But the FTC found in 2010 that the company had failed to provide “reasonable and appropriate security to prevent unauthorized access to personal information stored on its corporate network,” either in transit through its network, stored in a database, or transmitted over the internet.
Lifelock had been ordered to remedy that situation, but according to the complaint filed today, it has failed to do so. The complaint is currently sealed, but the previous finding from 2010 provides insight into the company’s security failures.
Lifelock’s CEO was himself a victim of data breach at least 13 times, btw. Call it karma.
NOTE: If you were/are an Amerigroup/Anthem insured in the State of Washington and received notice of a data breach, we want to talk to you. Please contact me via email at Catherine@Stritmatter.com. Participating in a class action lawsuit against a company who neglected to safeguard your personal information will not affect your ability to qualify for “free” id protection services offered by Anthem.
Washington State Insurance Commissioner Mike Kreidler is not the only one who is wondering why it took Premera so long to act, after realizing that at least 11 million individuals’ information were exposed to a data breach. We are too and want to see the large class of Premera customers find justice.
Hackers had unauthorized access to approximately 6 million in Washington and the other 5 million in Alaska and Oregon whose information. There are possibly other markets associated with this breach that extends beyond Washington, Oregon, and Alaska.
Our firm is pursuing a class action to obtain a meaningful recovery for all of the victims involved as the result of Premera’s lack of vigilance over their customer’s data. Please contact PremeraClass@Stritmatter.com, as our attorneys want to speak with you ASAP. Our own Brad J. Moore, who is at the helm of the country’s largest public interest law firm (Public Justice) has a long track record of success with some of the largest consumer protection class action lawsuits.
According to KUOW, after Premera called Kreidler to inform him about the data breach that had occurred over a month before, he asked his staff to find out why it took the health insurer so long to inform everyone about this significant news.
He’s launched a multistate investigation of Premera, explaining: “We would have been heavily engaged in this activity weeks ago if we’d been afforded the opportunity to know in a more timely basis. It was clear once we were notified. Which is part of the irritation right now. It took six weeks.”
The class action/consumer protection attorneys are all for Kreidler’s idea about establishing rules that would have compelled Premera to reveal the information within hours, not weeks.
Again, if you or someone you know was or is a Premera insured and believe that sensitive information was accessed in an unauthorized manner, contact us at PremeraClass@Stritmatter.com
Many questions ran through my head about Premera’s information security, when news came out earlier this week about its massive data breach involving at least 11 million customers first hit the news. Initially, some praised Premera’s response to the sophisticated cyber attack that reportedly occurred in May 2014. However, it turns out that before the breach ever occurred, a federal watchdog agency (Office of Personnel Management’s Office of Inspector General) notified Premera of at least 10 ways that it should address a range of security weaknesses that the audit of their systems revealed.
Among the weaknesses found by the Office of Personnel Management’s Office of Inspector General’s audit were issues related to patch management, insecure server configurations and weakness related to password history configuration settings
Pop. With the news about the fed audit and findings, the bubble of hope in my mind burst: Looks like Premera had not done everything possible in securing its customers’ data before the May 2014 cyberattack. In fact, Premera had “respectfully disagreed” with some of the recommendations related to patches “as it believe[d] deployment of critical security patches is in compliance with the documented patch management policy provided to the OPM audit staff.”
OIG didn’t agree:
The results of the vulnerability scans performed during the fieldwork phase of this audit indicated that Premera was not in compliance with its policy for deploying patches within a specific timeframe based on criticality. As part of the audit resolution process, we recommend that Premera provide OPM with evidence that it has adequately implemented this recommendation. [emphasis added]
The onsite portion of the audit was conducted during January and February of 2014, with additional offsite audit work performed by OIG before and after the on-site visit. The draft report that OIG issued to Premera on April 18, 2014, was based on Premera’s security controls as of March 2014, according to a final version of the report that OIG issued publicly in November 2014.
In a statement earlier this week, Premera, based in Mountlake Terrace, Wash., said that on Jan. 29, it discovered that cyber-attackers had gained unauthorized access to its systems, exposing information on 11 million individuals. An investigation by forensic experts hired by Premera shows that the initial attack occurred on May 5, 2014, the insurer says. That’s less than a month after OIG issued its draft audit report. What unfortunate timing for Premera and all of its insureds…
Granted, no one is yet saying that had Premera timely compliance with OIG’s recommendations would have thwarted the May 2014 cyberattack. The facts should illuminate all of us at some point down the road*. In the meantime, privacy experts such as Kate Borten point out that “failure to patch and unsecure configurations are vulnerabilities we’ve known about for decades…Regardless of whether they contributed to this latest attack, every organization – large and small – should pay attention to such common issues… Make it a priority to keep up with patches. Run vulnerability scans and respond to them by correcting security problems. Make sure your tech and infosec staff understand these security risks, and train them if not.”
NOTE: Stritmatter Kessler Whelan is researching a potential class action against Premera. If you or someone you know had an individual plan (not on a company sponsored plan), please contact me at Catherine@Stritmatter.com.