I agree that “Experian apparently has not benefitted from the lessons learned from its hundreds of breaches to clean up its act, and instead, is focusing on getting legislation passed to indemnify it against such lack of security.” I find it concerning that “millions spent by Experian lobbying for legislation that would keep the company from having to improve its security.”
 
T-Mobile CEO wrote after the breach that he "takes customer and prospective customer privacy very seriously." Experian did not encrypt names, addresses and birthdates, but it is encouraging that Experian took “immediate steps to harden our environment. To ensure our security measures and practices stand up to the high standards to which we hold ourselves.”

I find it concerning that the encryption may have been compromised, but there are now better ways to secure sensitive data. I recently read an interesting report from the Aberdeen Group that revealed that “Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users”.

Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data. Aberdeen has also seen “a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data”.

Ulf Mattsson, CTO Protegrity
Shared publicly