There’s been another data breach involving Experian, it seems, although this one didn’t involve their credit reporting database. Instead, it involved data Experian houses for T-Mobile USA. In a letter to affected T-Mobile USA customers, Experian CEO Craig Boundy writes:
I am writing to let you know of an incident that occurred involving T‐Mobile USA data housed at Experian that may have involved an unauthorized disclosure of your personal information.
On September 15, 2015, we discovered that an unauthorized party accessed certain Experian servers. We immediately began to investigate the incident and to implement additional security measures.
On September 21, 2015, we notified T‐Mobile USA, Inc. that information Experian maintains on their behalf to perform credit checks had been downloaded by the unauthorized party. Information you provided when you applied for an account at T‐ Mobile likely was acquired. That information includes your name, address, social security number, date of birth, identification number (such as driver’s license, military ID, or passport number) and additional information used in T‐Mobile’s own credit assessment. No payment card or banking information was obtained. This did not involve access to Experian’s credit reporting database.
Experian has notified appropriate federal, state and international law enforcement agencies and has taken additional security steps to help prevent future incidents.
And as it has done in other breaches involving their databases, Experian offered their product, ProtectMyID, to affected consumers.
The total number of consumers affected was not reported.
Update: T-Mobile USA’s statement about the incident reveals that 15 million people are impacted:
I’ve always said that part of being the Un-carrier means telling it like it is. Whether it’s good news or bad, I’m going to be direct, transparent and honest.
We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.
Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.
Experian has assured us that they have taken aggressive steps to improve the protection of their system and of our data.
Anyone concerned that they may have been impacted by Experian’s data breach can sign up for two years of FREE credit monitoring and identity resolution services at www.protectmyID.com/securityincident. Additionally, Experian issued a press release that you can read here, and you can view their Q&A at Experian.com/T-MobileFacts.
T-Mobile’s team is also here and ready to help you in any way we can. We have posted our own Q&A here to keep you as informed as possible throughout this issue.
At T-Mobile, privacy and security is of utmost importance, so I will stay very close to this issue and I will do everything possible to continue to earn your trust every day.
HA ! I love the way T-Mobile handles itself, but its another blunder by someone. Most of these hacks are simply password reuse by some one with elevated privileges. All year I hear one dramatically inflated story of a “massive cyber attack” that crippled the network and the hackers stole everything, including the kitchen sink.
This “protection” they offer is absolutely worthless. It will only inform you AFTER something bad has happened to your line of credit. if you are affected, simply go online to these inept credit agencies and freeze your credit for as long as you need to. I recommend having a credit card with a medium sized limit in case something should happen while your credit is frozen. Sure, you can unfreeze it, but maybe not overnight.
These companies trust each other too easily. Even though its not T-Mobile’s fault, the fault T-Mobile has is trusting a company who recently has had issues with policy and procedures. For those that don’t have a clue what I am talking about, head on over to KrebsOnSecurity.com and search for Experian.
It does make you wonder how Experian can protect anyone’s Identity when the company let hackers have access to T-Mobile account data FOR TWO YEARS.
Dissent, time to poke the FTC again?
I think you’ve misunderstood the breach. The retained data covers a two-year period, but the hack didn’t go on for two years. They say it was limited in time. The metadata for their submission to the Calif. AG’s office says the breach/hack occurred Sept. 14 and was discovered on Sept. 15th.
Update: a number of people seem to be interpreting it as you did, Jeanne, so I’ve emailed Experian to ask whether the breach went on for two years or if it was just two years of data for a limited time hack. I’ll update as I find out more.
Update 2: I was right (whew!) – the hack occurred last month over a few days and was discovered within a few days. See this post: http://www.databreaches.net/no-the-experian-hack-did-not-go-on-for-over-two-years-it-happened-last-month/