Personal Data of 15 Million T-Mobile Customers Exposed in a Latest Hack


Personal information of over 15 million T-Mobile customers has been exposed in a latest security breach of Experian, a vendor that processes T-Mobile's credit applications.

Experian data breach affects T-Mobile subscribers:

Experian, one of the world's largest credit agency data brokers, has fallen victim to a data breach that affects approximately 15 million U.S. consumers, including those T-Mobile customers who applied for credit checks. Customers of the cellular company who signed up for T-Mobile between September 1 2013 and September 16, 2015 are the most at risk of having had their private information exposed to the hackers. The stolen data includes social numbers, addresses, phone numbers, passport numbers, etc. If it could be any consolation, the data breach hasn't exposed any financial information such as bank account or credit card information to the hackers.

T-Mobile CEO John Leger responded to the hack:

We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment.

While the hack has affected Experian's servers, it looks like it has impacted only the users of T-Mobile as no other companies are mentioned by the credit agency:

Experian North America today announced that one of its business units, notably not  its consumer credit bureau, experienced an unauthorized acquisition of information from a server that contained data on behalf of one of its clients, T-Mobile, USA, Inc.  The data included some personally identifiable information for approximately 15 million consumers in the US, including those who applied for T-Mobile USA postpaid services or device financing from September 1, 2013 through September 16, 2015, based on Experian's investigation to date. This incident did not impact Experian's consumer credit database.

T-Mobile apparently can't delete credit check data from Experian servers as the credit laws require the retention of historical records of applicant data for at least 25 months. "Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously," CEO of T-Mobile wrote to the public. "This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information."

Experian hasn't named any perpetrators except calling it "an unauthorized party," and has contacted the law enforcement. Previously, Experian has been called out for selling data to an identity theft service, reports Fortune.

T-Mobile and Experian are offering consumers affected by the hack two years of free credit monitoring and identity resolution services.