Not cool: freezing my credit after yet another data breach

The text message I was especially uninterested in receiving hit my phone Sunday morning. “T-Mobile has determined that unauthorized access to some business and/ or personal information related to your T-Mobile business account has occurred,” it read. “This may include SSN, names, addresses, phone numbers and dates of birth.”

T-Mobile’s texted non-apology for a data breach affecting tens of millions of subscribers went on to note that “we have NO information that indicates your business or personal financial/ payment information were accessed,” as if those data points were the ones I couldn’t reset with a phone call or three.

Instead, I got to spend part of an evening at the sites of the three major credit bureaus to freeze my credit, just in case any recipient of the stolen T-Mobile data was going to try to go to town on my data. In the exceedingly-likely event that you, too, will have to clean up after a corporation’s carelessness with your data, here’s how that went down.

At Experian, at least I didn’t have to clutter my password manager with another saved login. After providing my name, address, complete Social Security Number, birth date and e-mail, the site asked me to verify my identity by answering a personal-data pop quiz (for example, picking previous cities of residence or a cost range for my monthly mortgage payment). After passing that test and starting the credit freeze, Experian generated a 10-digit PIN I could use for subsequent access.

Things were not quite as easy at TransUnion. I had to create an account and provide almost as much personal information as Experian demanded, except that TransUnion only required the last four digits of my SSN. On the other hand, the sign-up workflow included a tacky invitation to sign up for marketing spam: “Please send me helpful tips & news about my service, including special offers from TransUnion and trusted partners!” The site asked me to pick a security question from a preset menu, none of which would have been too difficult for a stranger to research had I answered them truthfully, and then verify my identity in another personal-data quiz.

The company that had itself lost my data before, Equifax, offered the easiest on-ramp. After coughing up another mouthful of personal data–including my full SSN as well as a mobile number–I was able to create an account and, after clicking through a link sent in an account-confirmation e-mail, put a freeze in place. I did not have vouch for my identity by picking a ballpark figure for my mortgage payment or identifying a phone number I’d used before… and I’m not sure that’s a good thing.

I do know it’s not a good thing that T-Mobile kept information like Social Security Numbers that it could not have needed after checking my credit–a failure its apologies have yet to acknowledge. Firing them for that data hoarding, compounded by weak security, might offer a certain emotional closure. But I have no reason to think that switching to AT&T or Verizon and then handing over the same personal data wouldn’t open me to the same risk, because I’m struggling to see anybody at the giant telcos who gives a shit about data minimization.

Weekly output: CISA, e-mail “sub-addressing”

Greetings, frustrated owners of Timex sport watches. I’m glad that essay I wrote in a fit of nerd rage continues to draw such interest at each time change, and I hope that at least some of the people who come here looking for help taking their timepiece in and out of Daylight Saving Time stick around and keep reading.

I spent much of this week wrapping up work on a long and long-delayed story. This coming week will see me in Dublin, where I’m covering Web Summit and catching up with some cousins I haven’t seen in over a dozen years. That’ll be my last air travel for work this year, and I am quite okay with that fact.

Yahoo Tech CISA post10/27/2015: CISA: Why Tech Leaders Hate the Latest Cyber-Security Bill, Yahoo Tech

I had meant to write about this cybersecurity bill earlier, but instead this post went up on the day that the Senate approved it by a 74-21 vote. I guess the folks there did not find this piece terribly persuasive. FYI: If you don’t like rants about Obama’s creeping dictatorship, you might want to avoid the comments.

11/1/2015: When a site rejects email “sub-addressing”, USA Today

Want to protect your privacy by giving a site a custom e-mail address that still lands in your inbox? Some won’t let you do that, and their explanations don’t square with the basic specifications of e-mail.