Experian, that keeper of your credit information and reputation, has been hacked, and the hackers got away with the personally identifiable information (PII) of 15 million T-Mobile customers and applicants.
The breach happened in the middle of September, however Experian and T-Mobile are only just now announcing it. Given all of the available information, it seems likely that Experian may only have notified T-Mobile this week, and that T-Mobile issued a statement as soon as they learned of the breach.
The hackers hacked in to one of Experian’s servers, and it happened to be the server that is used specifically to store the data of customers who have applied for credit with T-Mobile (this means that only those customers’ PII was at risk from this breach, although Experian has also had other breaches in the past).
The data that the hackers acquired is data from credit checks that Experian performed for T-Mobile, and includes names, addresses, social security numbers (SSN), driver’s license numbers, and passport numbers. Everything a hacker needs to become you. Experian has said that the license and passport numbers were encrypted, but that “that encryption may also have been compromised.”
People affected by this breach are those who either applied for a T-Mobile account (they are calling this “postpaid services”, which is a way of saying ‘not pre-paid’ – in other words, a normal T-Mobile account), or who applied for device financing, within the past 2 years. So, pretty much everybody who isn’t using a pre-paid phone.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
T-Mobile has said that the reason that information is retained, and why they can’t delete it from the Experian servers, is owing to regulations that require them to retain credit check information for at least 2 years.
And, T-Mobile has a whole lot more to say. In fact, T-Mobile CEO John Legere is being lauded for his open, swift, and honest public response to the news.
“I’ve always said that part of being the Un-carrier means telling it like it is,” Legere said yesterday. “Whether it’s good news or bad, I’m going to be direct, transparent and honest.”
Legere then went on to say that “Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously.”
(You can read Legere’s full statement below.)
For their part, Experian has issued a lengthy statement and FAQ here, which says, in part, that the hack “was in an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services between Sept. 1, 2013 and Sept. 16, 2015. Records containing a name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T- Mobile’s own credit assessment were accessed. No payment card or banking information was obtained.”
They then go on to say that “Experian is notifying the individuals who may have been affected and is offering free credit monitoring and identity resolution services for two years. In addition, government agencies are being notified as required by law.”
Is that irony lost on you? The irony that the very company that was breached is offering to give you credit and identity monitoring services for two years?
We are reminded of that old Dr. Seuss book, in which the watchers needed watching.
The irony isn’t lost on us, and it’s not lost on the security community. Security consultant Jon Mandel points out, in The Guardian, that “The irony is that so many companies have used Experian as a ‘clean room’ to put your data together with other companies’ data to keep it from being personally identifiable. That very ability can make everything personally identifiable.”
The irony also isn’t lost on Legere himself, as he took to Twitter in a very proactive and responsive way yesterday, starting out by announcing the breach:
…and then quickly acknowledging the irony of Experian being the ones to offer the free monitoring, and advising that they are looking to line up an alternative monitoring service to offer to their T-Mobile customers who may be worried that their PII was part of the breach.
Now, we have to say that we have been a highly satisfied T-mobile customer for more than a decade (due in no small part to our love affair with the T-Mobile Sidekick (RIP)), so we are pleased to see Lagere step up to the plate like that.
We will update this post as soon as we know what alternative monitoring service T-Mobile has lined up for its customers.
In the meantime, here is T-Mobile CEO John Lagere’s full statement, which you can also read here.
T-Mobile CEO John Lagere’s Statement on Experian T-Mobile Hack and Breach
T-Mobile CEO on Experian’s Data Breach
I’ve always said that part of being the Un-carrier means telling it like it is. Whether it’s good news or bad, I’m going to be direct, transparent and honest.
We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.
Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.
Experian has assured us that they have taken aggressive steps to improve the protection of their system and of our data.
Anyone concerned that they may have been impacted by Experian’s data breach can sign up for two years of FREE credit monitoring and identity resolution services at www.protectmyID.com/securityincident. Additionally, Experian issued a press release that you can read here, and you can view their Q&A at Experian.com/T-MobileFacts.
T-Mobile’s team is also here and ready to help you in any way we can. We have posted our own Q&A here to keep you as informed as possible throughout this issue.
At T-Mobile, privacy and security is of utmost importance, so I will stay very close to this issue and I will do everything possible to continue to earn your trust every day.
Sincerely,
John Lagere
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Bob, and thank you for the appreciation!
Was just thinking of applying for a T-Mo post paid plan.
Wonder if my data would be at risk.
Thanks for your informative articles.