SPECIAL STATE PROTECTION SERVICE
SPECIAL COMMUNICATION AND INFORMATION
SECURITY STATE AGENCY

COMPUTER EMERGENCY
RESPONSE CENTER

Report Incident

Articles > Experian Hack Slams T-Mobile Customers

5 Oct 2015

 Credit services provider Experian says one of its servers, which stored personal information for some 15 million customers of mobile communications provider T-Mobile USA, has been breached.

"What we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from Sept. 1, 2013, through Sept. 16, 2015," says T-Mobile CEO John Legere in an open letter to customers posted on his company's website. He added that while Experian was encrypting stored Social Security numbers and identity numbers, it tells T-Mobile that it thinks that the hacker cracked that encryption, thus leaving all of the data it was storing at risk.

"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected," Legere says.

To that end, Experian is offering two years of free identity theft monitoring services to affected consumers, in the form of its own ProtectMyID service.

Connecticut's Attorney General's office says it plans to investigate the Experian breach, Reuters reports.

Breach Detected in September
On Oct. 1, Experian first disclosed publicly that on Sept. 15, it discovered that "an unauthorized party" accessed its systems, exposing data collected for the aforementioned September 2013 to September 2015 period. "The unauthorized access was in an isolated incident over a limited period of time," the company claims.

No payment card data was exposed during the breach, Experian says. But the company, which aggregates data from a variety of sources to create profiles filled with highly sensitive personally identifiable information, reports that the exposed information includes names, addresses, Social Security numbers, dates of birth, identification numbers - such as driver's licenses, military IDs and passport numbers - plus additional information used in T-Mobile's credit assessments.

"Experian maintains a historical record of the applicant data used by T-Mobile to make credit decisions," Experian says in a breach-related FAQ. "The data provides the record of the applicant's credit application with T-Mobile and is used to assist with credit decisions and respond to questions from applicants about the decision on their credit application. The data is required to be maintained for a minimum period of 25 months under credit laws."

Experian says that it has seen no reports that the stolen data was inappropriately used, and it says that neither its consumer credit database nor other clients' data was accessed and that there was no breach of T-Mobile's security or systems.

But Richard Cassidy, technical director for Europe, the Middle East and Africa at managed cloud security and compliance firm Alert Logic, says attackers target the type of information that was stolen from Experian precisely because they can turn a profit by selling it to other criminals on fraudster forms. "Remember, cybercriminals will monetize any amount of data, so the fact that credit cards or bank information may not have been leaked ... is a moot