The names, addresses, Social Security numbers, and more of fifteen million T-Mobile credit applicants have been stolen, the carrier has confirmed today. The hack focused on the servers of consumer credit agency Experian, which had stored credit assessment data of customers applying for service with T-Mobile between September 1, 2013 through September 16, 2015.
T-Mobile’s own servers were not compromised, the carrier says, and Experian insists that no payment card or banking information were among the data haul stolen. Similarly, Experian’s consumer credit database was not part of the hack.
However, there’s still plenty of personal information that’s been exposed. Along with name, address, and SSN, the hackers took date of birth and whatever identification number was used when the check was first carried out.
Depending on the form of ID the customer used, that could be their driver’s license, military ID, or passport number. Any additional information T-Mobile used in the credit assessment would also have been appended to any compromised account.
Though the data was encrypted, according to T-Mobile the credit check company has discovered that “the encryption may have been compromised.”
Experian says the security loophole has been closed now and that, for the moment at least, “we have no indication that T-Mobile’s information has been used inappropriately.”
Investigations – including through law enforcement – are ongoing. Customers, meanwhile, are being offered two years of credit monitoring and identity resolution services through ProtectMyID (which is, it’s worth noting, owned by Experian itself).
As for T-Mobile, outspoken CEO John Legere is understandably not especially pleased at more than two years of customer data being stolen.
“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information” John Legere, CEO, T-Mobile
No indication of who the hackers responsible for the theft might be has been found, Experian says.