Experian Breach Spills Data on 15 Million T-Mobile Customers

A massive data breach at the credit-reporting agency Experian could wind up having major implications for 15 million T-Mobile customers.

A massive data breach at the credit-reporting agency Experian could wind up having major implications for 15 million T-Mobile customers.

The telecom uses the agency, one of the “big three” credit reporting bureaus, to check the credit ratings of its customers. News broke last night however that any customers who applied for a credit check for service or device-financing over the last few years may have had their information compromised in the breach.

Specifically, information stored on a server at one of Experian’s business units pertaining to T-Mobile USA customers from Sept. 1, 2013 to Sept. 16, 2015 appears to have been accessed.

While users’ payment card information has been deemed safe, Experian warns that other records containing customers’ names, addresses, Social Security numbers, and dates of birth were accessed. Additional “identification numbers” – in this case, driver’s license, military ID, or passport numbers – were also included in the server and allegedly downloaded by attackers.

Experian discoveredon Sept. 15 that an unauthorized party had accessed the server and it contacted authorities, according to a factsheet published by Experian on Thursday.

Perhaps the most concerning news about the incident wasn’t disclosed by Experian’s F.A.Q. but instead a letter to customers penned by T-Mobile CEO John Legere Thursday night. In it, he claims that Experian stored users’ Social Security numbers and ID numbers in “encrypted fields,” but admits in that “Experian has determined that this encryption may have been compromised.”

Legere, understandably upset about the situation, expressed his anger in the letter, and called the company’s future relationship with Experian into question.

“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” Legere wrote.

As is usually the case in data breaches such as this, Experian claims it will notify those affected and offer them free credit monitoring and identity resolution services for up to two years.

The agency stores credit data on hundreds of millions of Americans but is insisting that only the server that stored T-Mobile customer information was accessed.

Several years ago the credit agency indirectly sold a cache of consumer information to a Vietnamese national, Hieu Minh Ngo after he maintained he was a private investigator. Ngo essentially got access to a database of social security numbers for some 200 million Americans and then sold that information via identity theft websites.

Suggested articles

Newsmaker Interview: Scott Helme on Securing the Web

Threatpost sat down with Helme to discuss the state of web security, including certificate transparency, HTTPS deployment, Let’s Encrypt, content security policy and HTTP strict transport security.

Discussion

  • Brian on

    Given that the company is storing this data, then they should be liable for ALL costs a customer incurs plus compensation of a $1000 for the worry. That might make companies consider the stupidity of having stuff accessible on line or poor security. T mobile is also responsible as they chose the supplier.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.