Experian (opens in new tab), a services group that handles credit card processing for other companies, announced that the data of 15 million people who have applied for credit for T-Mobile's services between September 1, 2013 and September 16, 2015, was stolen in a recent data breach.
The data included personal information such as social security numbers, names, addresses, birthdates, and drivers license and passport numbers. Some of the data was encrypted, but Experian said that its encryption may have been compromised. Experian also noted that no credit card or banking information was affected by the data breach.
Experian said that when the hack happened, it took immediate action to secure its server, started a comprehensive investigation, and notified the U.S. and international law enforcement agencies. Experian recommended that T-Mobile's credit applicants who think they have been impacted by this hack can sign up for two years of free credit monitoring at www.protectmyid.com/securityincident.
"We take privacy very seriously and we understand that this news is both stressful and frustrating. We sincerely apologize for the concern and stress that this event may cause," said Craig Boundy, CEO, Experian North America. "That is why we're taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation."
The company also reminded everyone that neither it nor T-Mobile would be asking them for their personal information related to this incident. Other hackers may try to take advantage of the situation and ask the hack victims for their personal information while pretending to be representatives of Experian or T-Mobile.
T-Mobile's CEO, John Legere, said he's "incredibly angry" about this data breach and will thoroughly review his company's relationship with Experian after it finishes assisting the affected T-Mobile customers.
Experian hasn't given too much information about how it's securing its systems so far, but considering that only part of its stored information was encrypted, and even that was done poorly, it doesn't look like Experian had strong security for its databases and servers.