Personal info of 15 million T-Mobile USA customers stolen in Experian breach
Personal information of some 15 million T-Mobile US customers and applicants has been stolen by hackers who managed to breach several Experian servers. The credit agency performs credit checks for T-Mobile USA, and houses the data they need to do that.
According to T-Mobile’s CEO John Legere, the information collected from applicants who were credit-checked between 1 September 2013 and 16 September 2015 has also been stolen.
The compromised records include the customers’ name, address, social security number, date of birth, identification number (such as driver’s license, military ID, or passport number) and additional information used in T‐Mobile’s own credit assessment.
The Social Security number and ID number fields were apparently encrypted, but according to Experian, that encryption may have been compromised.
“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” Legere said, and made sure to point out that “neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.”
Experian has offered affected customers two years of free credit monitoring and identity resolution services.
For those wondering why all this information was still kept on Experian’s servers, T-Mobile has an answer: “The data is required to be maintained for a minimum period of 25 months under credit laws.”
“Our vendors are contractually obligated to abide by stringent privacy and security practices, and we are extremely disappointed that hackers could access the Experian network. You will have to speak with Experian to get detailed information about their security practices,” the company noted in a FAQ about the breach.
The breach notification letter sent by Experian to affected customers says that the breach was discovered on September 15, 2015, that a subsequent investigation revealed that the information housed in those servers was downloaded by the attackers, that the company has implemented additional security measures to prevent breaches like this in the future, that the authorities have been notified of the matter, and that Experian’s credit reporting database wasn’t accessed.