Experian hacked, but it’s 15 million T-Mobile customers who are put at risk

Experian hacked, but it’s 15 million T-Mobile customers who are put at risk

T-Mobile’s CEO says he is “incredibly angry”.

The reason? Hackers have stolen information about 15 million people – all of whom had interacted with T-Mobile either as customers or potential customers.

Innocent users have had personal information such as their name, address, and date of birth exposed to the criminals. In addition, encrypted fields in the hacked databases including “social security number and ID number (such as driver’s license or passport number)” may be at risk.

That’s reason enough for T-Mobile CEO John Legere to very angry. But imagine his apoplexy when he realises that the hackers didn’t breach T-Mobile’s computer systems, but those of Experian, one of the largest data brokers and credit agencies in the world – tasked with credit-checking T-Mobile’s users.

Email
Sign up to our newsletterSign up to SLG’s newsletter – “GCHQ”
Security news, advice, and tips.

You can read more about John Legere’s annoyance in a blog post on T-Mobile’s site, pointedly entitled “T-Mobile CEO on Experian’s Data Breach.” (my emphasis)

T-Mobile statement by CEO

We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.

Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.

Clearly, the most important victims here are the T-Mobile users who have had their personal details exposed through no fault of their own, and are potentially running the risk of identity theft.

But you can’t help but feel some sympathy with T-Mobile too. Their own computer systems don’t appear to have been hacked. They trusted a well-known third party company to take proper care of their customers’ data, and – although we don’t know the details yet of just how things went so badly wrong – clearly there was a failure.

And yet it’s T-Mobile’s name which will be dragged through the mud. Their reputation which will be harmed the most in the public’s consciousness. Maybe they’ll lose some customers.

There’s no wonder T-Mobile’s CEO is “incredibly angry”. And no surprise that T-Mobile is keen to emphasise that this was “Experian’s data breach.”:

Anyone concerned that they may have been impacted by Experian’s data breach can sign up for two years of FREE credit monitoring and identity resolution services at www.protectmyID.com/securityincident. Additionally, Experian issued a press release that you can read here, and you can view their Q&A at Experian.com/T-MobileFacts.

In its press release about the data breach, Experian’s CEO apologised to affected individuals:

“We take privacy very seriously and we understand that this news is both stressful and frustrating. We sincerely apologize for the concern and stress that this event may cause,” said Craig Boundy, Chief Executive Officer, Experian North America. “That is why we’re taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation.”

Good of them to apologise. It’s surprising how often following a hack companies are adverse to using words like “sorry” and “apology” – presumably under the advice of the legal department.

Found this article interesting? Follow SLG on Twitter to read more of the exclusive content we post.

Leave a Reply

Your email address will not be published. Required fields are marked *