DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Experian’s servers hacked; 15 million T-Mobile USA customers affected (UPDATED)

Posted on October 1, 2015 by Dissent

There’s been another data breach involving Experian, it seems, although this one didn’t involve their credit reporting database. Instead, it involved data Experian houses for T-Mobile USA. In a letter to affected T-Mobile USA customers, Experian CEO Craig Boundy writes:

I am writing to let you know of an incident that occurred involving T‐Mobile USA data housed at Experian that may have involved an unauthorized disclosure of your personal information.

On September 15, 2015, we discovered that an unauthorized party accessed certain Experian servers. We immediately began to investigate the incident and to implement additional security measures.

On September 21, 2015, we notified T‐Mobile USA, Inc. that information Experian maintains on their behalf to perform credit checks had been downloaded by the unauthorized party. Information you provided when you applied for an account at T‐ Mobile likely was acquired. That information includes your name, address, social security number, date of birth, identification number (such as driver’s license, military ID, or passport number) and additional information used in T‐Mobile’s own credit assessment. No payment card or banking information was obtained. This did not involve access to Experian’s credit reporting database.

Experian has notified appropriate federal, state and international law enforcement agencies and has taken additional security steps to help prevent future incidents.

And as it has done in other breaches involving their databases, Experian offered their product, ProtectMyID, to affected consumers.

The total number of consumers affected was not reported.

Update: T-Mobile USA’s statement about the incident reveals that 15 million people are impacted:

I’ve always said that part of being the Un-carrier means telling it like it is. Whether it’s good news or bad, I’m going to be direct, transparent and honest.

We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.

Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.

Experian has assured us that they have taken aggressive steps to improve the protection of their system and of our data.

Anyone concerned that they may have been impacted by Experian’s data breach can sign up for two years of FREE credit monitoring and identity resolution services at www.protectmyID.com/securityincident. Additionally, Experian issued a press release that you can read here, and you can view their Q&A at Experian.com/T-MobileFacts.

T-Mobile’s team is also here and ready to help you in any way we can. We have posted our own Q&A here to keep you as informed as possible throughout this issue.

At T-Mobile, privacy and security is of utmost importance, so I will stay very close to this issue and I will do everything possible to continue to earn your trust every day.

Category: Business SectorHackOf NoteU.S.

Post navigation

← Reports slam OCR’s poor oversight of HIPAA covered entities, breach followup efforts
The complaint to FTC about Experian that accomplished… what? →

3 thoughts on “Experian’s servers hacked; 15 million T-Mobile USA customers affected (UPDATED)”

  1. IA Eng says:
    October 2, 2015 at 6:44 am

    HA ! I love the way T-Mobile handles itself, but its another blunder by someone. Most of these hacks are simply password reuse by some one with elevated privileges. All year I hear one dramatically inflated story of a “massive cyber attack” that crippled the network and the hackers stole everything, including the kitchen sink.

    This “protection” they offer is absolutely worthless. It will only inform you AFTER something bad has happened to your line of credit. if you are affected, simply go online to these inept credit agencies and freeze your credit for as long as you need to. I recommend having a credit card with a medium sized limit in case something should happen while your credit is frozen. Sure, you can unfreeze it, but maybe not overnight.

    These companies trust each other too easily. Even though its not T-Mobile’s fault, the fault T-Mobile has is trusting a company who recently has had issues with policy and procedures. For those that don’t have a clue what I am talking about, head on over to KrebsOnSecurity.com and search for Experian.

  2. Jeanne Price says:
    October 2, 2015 at 12:06 pm

    It does make you wonder how Experian can protect anyone’s Identity when the company let hackers have access to T-Mobile account data FOR TWO YEARS.

    Dissent, time to poke the FTC again?

    1. Dissent says:
      October 2, 2015 at 12:26 pm

      I think you’ve misunderstood the breach. The retained data covers a two-year period, but the hack didn’t go on for two years. They say it was limited in time. The metadata for their submission to the Calif. AG’s office says the breach/hack occurred Sept. 14 and was discovered on Sept. 15th.

      Update: a number of people seem to be interpreting it as you did, Jeanne, so I’ve emailed Experian to ask whether the breach went on for two years or if it was just two years of data for a limited time hack. I’ll update as I find out more.

      Update 2: I was right (whew!) – the hack occurred last month over a few days and was discovered within a few days. See this post: http://www.databreaches.net/no-the-experian-hack-did-not-go-on-for-over-two-years-it-happened-last-month/

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.