DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Experian’s servers hacked; 15 million T-Mobile USA customers affected (UPDATED)

Posted on October 1, 2015 by Dissent

There’s been another data breach involving Experian, it seems, although this one didn’t involve their credit reporting database. Instead, it involved data Experian houses for T-Mobile USA. In a letter to affected T-Mobile USA customers, Experian CEO Craig Boundy writes:

I am writing to let you know of an incident that occurred involving T‐Mobile USA data housed at Experian that may have involved an unauthorized disclosure of your personal information.

On September 15, 2015, we discovered that an unauthorized party accessed certain Experian servers. We immediately began to investigate the incident and to implement additional security measures.

On September 21, 2015, we notified T‐Mobile USA, Inc. that information Experian maintains on their behalf to perform credit checks had been downloaded by the unauthorized party. Information you provided when you applied for an account at T‐ Mobile likely was acquired. That information includes your name, address, social security number, date of birth, identification number (such as driver’s license, military ID, or passport number) and additional information used in T‐Mobile’s own credit assessment. No payment card or banking information was obtained. This did not involve access to Experian’s credit reporting database.

Experian has notified appropriate federal, state and international law enforcement agencies and has taken additional security steps to help prevent future incidents.

And as it has done in other breaches involving their databases, Experian offered their product, ProtectMyID, to affected consumers.

The total number of consumers affected was not reported.

Update: T-Mobile USA’s statement about the incident reveals that 15 million people are impacted:

I’ve always said that part of being the Un-carrier means telling it like it is. Whether it’s good news or bad, I’m going to be direct, transparent and honest.

We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.

Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.

Experian has assured us that they have taken aggressive steps to improve the protection of their system and of our data.

Anyone concerned that they may have been impacted by Experian’s data breach can sign up for two years of FREE credit monitoring and identity resolution services at www.protectmyID.com/securityincident. Additionally, Experian issued a press release that you can read here, and you can view their Q&A at Experian.com/T-MobileFacts.

T-Mobile’s team is also here and ready to help you in any way we can. We have posted our own Q&A here to keep you as informed as possible throughout this issue.

At T-Mobile, privacy and security is of utmost importance, so I will stay very close to this issue and I will do everything possible to continue to earn your trust every day.

Category: Business SectorHackOf NoteU.S.

Post navigation

← Reports slam OCR’s poor oversight of HIPAA covered entities, breach followup efforts
The complaint to FTC about Experian that accomplished… what? →

3 thoughts on “Experian’s servers hacked; 15 million T-Mobile USA customers affected (UPDATED)”

  1. IA Eng says:
    October 2, 2015 at 6:44 am

    HA ! I love the way T-Mobile handles itself, but its another blunder by someone. Most of these hacks are simply password reuse by some one with elevated privileges. All year I hear one dramatically inflated story of a “massive cyber attack” that crippled the network and the hackers stole everything, including the kitchen sink.

    This “protection” they offer is absolutely worthless. It will only inform you AFTER something bad has happened to your line of credit. if you are affected, simply go online to these inept credit agencies and freeze your credit for as long as you need to. I recommend having a credit card with a medium sized limit in case something should happen while your credit is frozen. Sure, you can unfreeze it, but maybe not overnight.

    These companies trust each other too easily. Even though its not T-Mobile’s fault, the fault T-Mobile has is trusting a company who recently has had issues with policy and procedures. For those that don’t have a clue what I am talking about, head on over to KrebsOnSecurity.com and search for Experian.

  2. Jeanne Price says:
    October 2, 2015 at 12:06 pm

    It does make you wonder how Experian can protect anyone’s Identity when the company let hackers have access to T-Mobile account data FOR TWO YEARS.

    Dissent, time to poke the FTC again?

    1. Dissent says:
      October 2, 2015 at 12:26 pm

      I think you’ve misunderstood the breach. The retained data covers a two-year period, but the hack didn’t go on for two years. They say it was limited in time. The metadata for their submission to the Calif. AG’s office says the breach/hack occurred Sept. 14 and was discovered on Sept. 15th.

      Update: a number of people seem to be interpreting it as you did, Jeanne, so I’ve emailed Experian to ask whether the breach went on for two years or if it was just two years of data for a limited time hack. I’ll update as I find out more.

      Update 2: I was right (whew!) – the hack occurred last month over a few days and was discovered within a few days. See this post: http://www.databreaches.net/no-the-experian-hack-did-not-go-on-for-over-two-years-it-happened-last-month/

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation
  • Qilin Offers “Call a lawyer” Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay
  • Ireland’s Data Protection Commission publishes 2024 Annual Report
  • The headlines suggested Freedman Healthcare suffered a ransomware attack that affected patient data. The reality was quite different.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.