Update: T-Mobile has reached out and clarified that the breach affects current and former customers who went through a credit check. Anyone who did not go through a credit check is unaffected.
T-Mobile has confirmed this evening that as many as 15 million of its customers have been affected by a data breach. As the company is quick to point out, however, the breach did not occur on its servers, but rather its credit partner’s, Experian.
While Experian and T-Mobile both confirm that no credit card or banking information was compromised in the breach, a variety of other sensitive information was. Customer names, addresses, birthdates, Social Security numbers, and ID numbers were all leaked as part of the attack.
The attack affects approximately 15 million people who required a credit check when signing up for device financing through T-Mobile. Perhaps most notably, however, the vulnerability was open for more than two years, from September 1, 2013 though September 16, 2015.
T-Mobile says that it is offering two years of free credit monitoring to anyone who fears they could have been affected by the breach. T-Mobile CEO John Legere wrote in an open letter on the carrier’s website that he is “incredibly angry about this data breach” and that T-Mobile will be reevaluating its relationship with Experian.
[tweet https://twitter.com/JohnLegere/status/649716186482016256 align=’center’]
T-Mobile CEO on Experian’s Data Breach
I’ve always said that part of being the Un-carrier means telling it like it is. Whether it’s good news or bad, I’m going to be direct, transparent and honest.
We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.
Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.
Experian has assured us that they have taken aggressive steps to improve the protection of their system and of our data.
Anyone concerned that they may have been impacted by Experian’s data breach can sign up for two years of FREE credit monitoring and identity resolution services at www.protectmyID.com/securityincident. Additionally, Experian issued a press release that you can read here, and you can view their Q&A at Experian.com/T-MobileFacts.
T-Mobile’s team is also here and ready to help you in any way we can. We have posted our own Q&A here to keep you as informed as possible throughout this issue.
At T-Mobile, privacy and security is of utmost importance, so I will stay very close to this issue and I will do everything possible to continue to earn your trust every day.
FTC: We use income earning auto affiliate links. More.
Is anyone safe from ID theft anymore? SMH.
Unfortunately not.
Best thing to do is to freeze your credit records with all 3 bureaus. That way anyone who tries to open any kind of account with your information is unconditionally and summarily denied. I’ve had mine frozen for years and I have great peace of mind on this issue. Costs close to nothing to freeze/unfreeze at will (Lifelock essentially does the same thing but they charge you fees to do it for you, whereas you can do it yourself for free in many cases).
Obviously, there are other areas where ID theft can impact you, but freezing your credit records is a major, major form of defense that eliminates a majority of the threats or hassles.
Two years? Jeeze louise…How the hell does a multi-million dollar company like Experian have an open vulnerability that nobody knows about for two friggen years? Do they not get security audited by private firms on a quarterly basis??
I’m not surprised. I worked for a wing of Experian a few years back when one of their competitors was hacked. It caused us to up our security some, but it would have been easy had someone hit us at that time.
I’d of rather they took my credit card numbers then social security. I can easily enough change my CC number, but someone having my SS# means they can cause damage years down the line.
well I am a bit skeptic about the credit card part since I just had fraud on my credit card that I used to pay TMobile for my device installments and recently for Jump on demand.
That’s interesting. I actually just had a fraudulent charge on mine too a few days ago. My wife and I were trying to figure out how since I just had it replaced about 6 months ago from another data breach.
I give T-Mobile big props for their upfront, no excuses offered pro-active stand on releasing this story.
I’m not so sure how AT&T or Verizon would have handled the same situation.
YMMV
Very convenient – their sales reps are still actively lying to people about not running credit checks for new service and they still do. Now these lies have resulted in a gigantic breach. Wonderful!
Kind of begs the question “How many other Experian customers (not us, we’re the product) had data breach events that aren’t being reported?” Experian and their ilk are evil and the bane of the American public.
Sprint did it😂😂😂😂😂