Experian breach may have exposed 15 million T-Mobile records – USA TODAY
SAN FRANCISCO âÂ A hacker has acquired the records of 15 million T-Mobile customers and people who had applied for credit, the company reported Thursday.
The breach, which lasted for two years,Â occurred at Experian, the vendor that processes T-Mobile’s credit applications, T-Mobile Â CEO John Legere said in a post on the site.
Experian North AmericaÂ said in a noticeÂ that one of its business units was compromised, but that its consumer credit bureau was not affected.
Experian immediately secured the server and began an investigation. It has notified both U.S. and international law enforcement. Experian North America’s parent company, ExperianÂ is headquartered in Dublin, Ireland.
“The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015,” Legere wrote.
In a refreshing change from the corporate-speak often used by CEOs whose businesses are breached, T-Mobile’s Legere stayed true to form with his directness.
“Obviously I am incredibly angry about this data breach,” he said, saying he would conduct a “thorough review” of his company’s relationship with Experian but that his top concern for now was “assisting any and all consumers affected.”
The compromised information includes customers’Â names, addresses and birth datesÂ as well as encrypted fields with Social Security number and ID number, which could be a driverâs license or passport number.
Experian told T-Mobile the encryption protecting those numbers may have been compromised, Legere said.
Experian and T-Mobile have set up two years of free credit monitoring and identity resolution services for compromised customers. Ironically, the service is being offeredÂ through Experian’s own credit monitoring service.
Experian cautioned consumers that under no circumstances would either Experian or T-Mobile call them or send them messages asking forÂ personal information in connection with the breach.
“You may go to the website, but you should not provide personal information to anyone who calls you or sends you a message about this incident,” Experian said in a statement.
Follow USA TODAY reporter Elizabeth Weise on Twitter: @eweise.