Not cool: freezing my credit after yet another data breach

The text message I was especially uninterested in receiving hit my phone Sunday morning. “T-Mobile has determined that unauthorized access to some business and/ or personal information related to your T-Mobile business account has occurred,” it read. “This may include SSN, names, addresses, phone numbers and dates of birth.”

T-Mobile’s texted non-apology for a data breach affecting tens of millions of subscribers went on to note that “we have NO information that indicates your business or personal financial/ payment information were accessed,” as if those data points were the ones I couldn’t reset with a phone call or three.

Instead, I got to spend part of an evening at the sites of the three major credit bureaus to freeze my credit, just in case any recipient of the stolen T-Mobile data was going to try to go to town on my data. In the exceedingly-likely event that you, too, will have to clean up after a corporation’s carelessness with your data, here’s how that went down.

At Experian, at least I didn’t have to clutter my password manager with another saved login. After providing my name, address, complete Social Security Number, birth date and e-mail, the site asked me to verify my identity by answering a personal-data pop quiz (for example, picking previous cities of residence or a cost range for my monthly mortgage payment). After passing that test and starting the credit freeze, Experian generated a 10-digit PIN I could use for subsequent access.

Things were not quite as easy at TransUnion. I had to create an account and provide almost as much personal information as Experian demanded, except that TransUnion only required the last four digits of my SSN. On the other hand, the sign-up workflow included a tacky invitation to sign up for marketing spam: “Please send me helpful tips & news about my service, including special offers from TransUnion and trusted partners!” The site asked me to pick a security question from a preset menu, none of which would have been too difficult for a stranger to research had I answered them truthfully, and then verify my identity in another personal-data quiz.

The company that had itself lost my data before, Equifax, offered the easiest on-ramp. After coughing up another mouthful of personal data–including my full SSN as well as a mobile number–I was able to create an account and, after clicking through a link sent in an account-confirmation e-mail, put a freeze in place. I did not have vouch for my identity by picking a ballpark figure for my mortgage payment or identifying a phone number I’d used before… and I’m not sure that’s a good thing.

I do know it’s not a good thing that T-Mobile kept information like Social Security Numbers that it could not have needed after checking my credit–a failure its apologies have yet to acknowledge. Firing them for that data hoarding, compounded by weak security, might offer a certain emotional closure. But I have no reason to think that switching to AT&T or Verizon and then handing over the same personal data wouldn’t open me to the same risk, because I’m struggling to see anybody at the giant telcos who gives a shit about data minimization.

Weekly output: New laptops, IFA gadgets, online-video subscribers, wireless plans, Equifax

Technically speaking, I didn’t wrap up my IFA coverage until Sunday night, when I posted an album of photos from the show. Monday afternoon, I’m off to San Francisco for Mobile World Congress Americas, a successor to the CTIA wireless-industry show that I skipped last year.

9/5/2017: Why you might not want a laptop with a 4K display, Yahoo Finance

I liked most of what I saw in Windows laptops at IFA, but the idea of cramming Ultra High Definition resolution into a 13- or 14-inch screen seems idiotic to me.

9/6/2017: 4 amazing new gadgets you can’t get in the US, Yahoo Finance

Going to a gadget show overseas means you’ll see some hardware that you won’t be able to buy back home in the States.

9/7/2017: Best Cell Phone Plans, The Wirecutter

If I’d filed this on time, I would have had to rewrite the update to factor in Verizon’s downgrade of its most-advertised “unlimited” wireless plan. Instead, I had a hurried few days of revising the text I’d last updated in March to reflect that and many other pivots among wireless services.

9/7/2017: Measuring the OTT Subscriber, FierceCable

This piece–you’ll have to cough up an e-mail address to read it–covers how some online video services try to get a sense of their customer metrics.

9/8/2017: Why Equifax needs to give up some details about how it got hacked, Yahoo Finance

Equifax’s massive data breach–yes, I seem to be included among the victims–made me mad. Then it made me think about other posts I’ve written to denounce the reflexive silence of too many tech companies after they realize a third party has broken in and stolen customer data.