Personal Info Of 15 Million T-Mobile Credit Applicants Stolen In Experian Data Breach

News
By published

Experian, a services group that handles credit card processing for other companies, announced that the data of 15 million people who have applied for credit for T-Mobile's services between September 1, 2013 and September 16, 2015, was stolen in a recent data breach.

The data included personal information such as social security numbers, names, addresses, birthdates, and drivers license and passport numbers. Some of the data was encrypted, but Experian said that its encryption may have been compromised. Experian also noted that no credit card or banking information was affected by the data breach.

Experian said that when the hack happened, it took immediate action to secure its server, started a comprehensive investigation, and notified the U.S. and international law enforcement agencies. Experian recommended that T-Mobile's credit applicants who think they have been impacted by this hack can sign up for two years of free credit monitoring at www.protectmyid.com/securityincident.

"We take privacy very seriously and we understand that this news is both stressful and frustrating. We sincerely apologize for the concern and stress that this event may cause," said Craig Boundy, CEO, Experian North America. "That is why we're taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation."

The company also reminded everyone that neither it nor T-Mobile would be asking them for their personal information related to this incident. Other hackers may try to take advantage of the situation and ask the hack victims for their personal information while pretending to be representatives of Experian or T-Mobile.

T-Mobile's CEO, John Legere, said he's "incredibly angry" about this data breach and will thoroughly review his company's relationship with Experian after it finishes assisting the affected T-Mobile customers.

Experian hasn't given too much information about how it's securing its systems so far, but considering that only part of its stored information was encrypted, and even that was done poorly, it doesn't look like Experian had strong security for its databases and servers.

Follow Tom's Hardware on Twitter, Facebook, and Google+.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
6 Comments Comment from the forums
  • jaber2
    I am with T-Mobile, let me know when class action law suit starts
    Reply
  • Larry Litmanen
    I am with T-Mobile, let me know when class action law suit starts

    You want the $2.50 that you will receive now or later?

    Class action is a payday for lawyers, not for you.
    Reply
  • Solandri
    Just pass a law requiring these companies and credit bureaus to provide free credit monitoring and protection services for a lifetime if they lose your data, and you'll them start to take securing that data seriously.

    Actually, it's high time we dropped the single cleartext ID (social security number), and went with some sort of private/public key system. The credit agencies could just assign you a private key they keep for themselves, and send you the public key. You give that public key to any bank or credit card company you wish to open an account with. If the public key ever gets compromised, just have the credit agency issue you a new private key.
    Reply
  • thundervore
    I am with T-Mobile, let me know when class action law suit starts

    You want the $2.50 that you will receive now or later?

    $2.50 cannot even buy a gallon of gas or pay a single fare for MTA public transportation here in NYC, not even a bridge toll. If I were a Tmobile customer I would just ask for a free month of something

    Class action is a payday for lawyers, not for you.
    Reply
  • Jason_29
    Isn't it nice that the company that was breached (Experian) is also providing the free credit monitoring?
    Reply
  • velocityg4
    Companies that store personal information that can be used by identity thieves should be required to use the strongest encryption available. All executives of companies that don't follow these standards should be publicly flogged if a data breach occurs.

    Beyond that as detailed credit reports are so vital, the credit bureaus should be required to provide a detailed score on demand for free to the consumer. There should be one score the company provides not a separate mortgage score as the report you can buy now is useless as it does not give you your mortgage score. You have no way to find this score unless you apply for a mortgage loan. They should also be required to list how many points each line item affects your score and publish how they determine scores so consumers can work directly to improve their score. If a consumer wants to fight an item it should be temporarily removed from the score and report until they are proven wrong. The company reporting the negative item must then provide strong evidence that the consumer is at fault.

    If these companies are storing this information and using it to directly affect our financial lives. We should at least be allowed to see this stuff. It's not like letting us see our scores costs any more. It's already processed and stored automatically on their servers. Let the credit card companies, banks and other lenders pay the fees.
    Reply