Skip to main content

Tor browser co-creator: Experian breach shows encryption may not be security panacea

A datacenter server room.

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


The Experian/T-Mobile hack may be more worrisome than Experian’s carefully worded description of it suggests, some security experts said Friday.

One is the co-creator of the Tor secure browser, David Goldschlag, (now SVP of strategy at Pulse Secure). Goldschlag previously was head of mobile at McAfee, and also once worked at the NSA.

I asked Goldschlag a simple question: “After the Office of Personnel Management and Experian hacks, is there reason to fear that hackers now have the means to steal actual financial information (credit card numbers, etc.) from banks or insurers?”

Goldschlag didn’t answer the question directly, but his answer was disturbing.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

“Experian differentiated between personally identifying information that was not stored encrypted, and credit card info which was stored encrypted — both were hacked,” Goldschlag wrote in a note to VentureBeat.

“Experian added that it is likely that the hackers were able to decrypt the encrypted information too,” he said. (Experian’s CEO admitted this.) “So storing information in an encrypted form may not be the panacea that people expect.”

He explained, “Experian had a reason to have the credit card info, perhaps to check account balances, and that means that Experian has systems and applications that decrypt the encrypted information. If the hackers stole information using those systems, then the hackers would see the decrypted credit card numbers.”

Indeed, if the hackers were able to decrypt the data, it paints a very different picture of the attack and its implications. “If the encrypted data was compromised, that would indicate a very effective and broad compromise of Experian’s network, most likely due to compromised administrator credentials of some kind,” said Trend Micro’s Christopher Budd in a statement.

Goldschlag believes better authentication is key to reducing vulnerability to hackers and other security threats. Basic authentication techniques are commonly used to protect banking information, but the recent large-scale breaches at Ashley Madison, the Office of Personnel Management, and Experian show that certain types of information require a greater level of authentication as a form of defense.

Back in 2012, hackers gained access to the Experian servers by stealing the account credentials from a Texas bank. It’s possible that hackers gained access to the Experian server by stealing a T-Mobile account holder’s credentials.

“The Experian breach is yet another example of a company being affected by one of its third-party vendors,” said Trend Micro’s Budd. “This situation is similar to the Heartland Payment Systems breach and further reiterates how companies responsible for processing financial information continue to be a weak link in the chain.”

On Experian’s Q&A page it says the following about the exposure of credit card data: “There were no credit card numbers or account numbers contained in the file accessed, based on our investigation to date.”

One security firm said it’s already spotted advertisements for the sale of the stolen T-Mobile data on the Dark Web.

Only time will tell how much data from the Experian hack eventually makes it into the hands of identity thieves, and what damage they do with it.

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.