In an announcement on October 1, 2015, Experian North America stated that one of their business entities that provided credit checks for one of its clients, T-Mobile USA, Inc., had experienced a cyber breach that may have compromised some 15 million consumer’s personal information over a two year period — September 1, 2013 through September 16, 2015.
While unequivocally stating that Experian’s consumer credit bureau was not affected, the company did relate that an internal server that contained highly sensitive material on behalf of one of its customers, namely T-Mobile, was compromised. The server that was hacked at Experian contained data that was collected by T-Mobile for customers who were applying for a cellular phone plan or financed purchase.
The encrypted information contained in the breach was personally identifiable and included names, email addresses, dates of birth, social security numbers as well as other forms of ID such as drivers license or passport numbers. Though neither Experian nor T-Mobile would elaborate, both companies did say that additional security information used in T-Mobiles credit assessment was also compromised, but that no payment card or banking information was retrieved by hackers.
Experian stated that once they learned of the data breach incident that the company took immediate actions to investigate and eradicate the situation, this included notifying federal and international law enforcement officials, (as they are headquartered out of Dublin, Ireland) and promptly initiating their own internal investigation while securing the server.
Spokeswoman for Experian, Susan Henson said,
The data set was for applicants and customers of T-Mobile who applied for service over that two year period. It was discovered within two days, secured immediately, comprehensive forensic investigation launched, and is still continuing, and we announced it today to quickly notify consumers. Our notification to state attorneys general happens tomorrow.
With that being said, it must be noted that statements from Experian and T-Mobile appear to be conflicting in regards to how much customer data was possibly exposed and just how much damage to consumers would actually be. Add to that, T-Mobile CEO, John Legere’s apparent outrage, blasting Experian in a statement posted on T-Mobile’s website which did little to calm customer’s justifiable fears for the safety of their personal information.
Subsequently Experian stated they were reaching out to customers that may have had their personal information breached, and offering two free years of credit monitoring to safeguard their information. Experian developed a program specifically designed to assist possible victims of the cyber attack called “identity resolution services” through their ProtectMyID program. Even though Experian stated that they currently had no evidence that customer information had been inappropriately used they vigorously suggested that their customers should sign up for their complimentary credit monitoring and/or identity resolution services.
The company went on to state,
We take privacy very seriously and we understand that this news is both stressful and frustrating. We sincerely apologize for the concern and stress this event may cause. That is why we’re taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation.
An additional warning Experian put out to consumers that may have been affected during the breach period was that they should be clear that in no way would Experian or T-Mobile contact these consumers by phone or message asking for your personal information in regards to this breach. The message specifically warned consumers not to provide personal information to anyone and referred any concerned customers to their website and specific customer assistance links.
Links For Consumers Affected: