Experian Hack Slams T-Mobile Customers15 Million Individuals' Personal Information Exposed
See Also: Data Center Security Study - The Results
"What we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from Sept. 1, 2013, through Sept. 16, 2015," says T-Mobile CEO John Legere in an open letter to customers posted on his company's website. He added that while Experian was encrypting stored Social Security numbers and identity numbers, it tells T-Mobile that it thinks that the hacker cracked that encryption, thus leaving all of the data it was storing at risk.
"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected," Legere says.
To that end, Experian is offering two years of free identity theft monitoring services to affected consumers, in the form of its own ProtectMyID service.
Connecticut's Attorney General's office says it plans to investigate the Experian breach, Reuters reports.
Breach Detected in September
On Oct. 1, Experian first disclosed publicly that on Sept. 15, it discovered that "an unauthorized party" accessed its systems, exposing data collected for the aforementioned September 2013 to September 2015 period. "The unauthorized access was in an isolated incident over a limited period of time," the company claims.
No payment card data was exposed during the breach, Experian says. But the company, which aggregates data from a variety of sources to create profiles filled with highly sensitive personally identifiable information, reports that the exposed information includes names, addresses, Social Security numbers, dates of birth, identification numbers - such as driver's licenses, military IDs and passport numbers - plus additional information used in T-Mobile's credit assessments.
"Experian maintains a historical record of the applicant data used by T-Mobile to make credit decisions," Experian says in a breach-related FAQ. "The data provides the record of the applicant's credit application with T-Mobile and is used to assist with credit decisions and respond to questions from applicants about the decision on their credit application. The data is required to be maintained for a minimum period of 25 months under credit laws."
Experian says that it has seen no reports that the stolen data was inappropriately used, and it says that neither its consumer credit database nor other clients' data was accessed and that there was no breach of T-Mobile's security or systems.
But Richard Cassidy, technical director for Europe, the Middle East and Africa at managed cloud security and compliance firm Alert Logic, says attackers target the type of information that was stolen from Experian precisely because they can turn a profit by selling it to other criminals on fraudster forms. "Remember, cybercriminals will monetize any amount of data, so the fact that credit cards or bank information may not have been leaked ... is a moot point."
Alert Logic's Richard Cassidy discusses Experian breach risks and culpability.
Law Enforcement Investigating
T-Mobile says that its investigation is ongoing. "I take our customer and prospective customer privacy very seriously," Legere says. "This is no small issue for us. I do want to assure our customers that neither T-Mobile's systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information."
Experian says it notified law enforcement agencies in the United States and abroad when it discovered the intrusion. The company says it took several steps to mitigate the problem, including assessing and removing malware or improper connectivity, performing assessment of isolation procedures of the affected server and associated systems and increasing monitoring of the affected systems.
The company is notifying individuals who may have been had their PII exposed in the breach and is offering them its identity theft and credit monitoring services. "Although there is no evidence that the data has been used inappropriately, Experian strongly encourages affected consumers to enroll in the complimentary identity resolution services," the company says in a statement.
"We take privacy very seriously and we understand that this news is both stressful and frustrating," says Craig Boundy, CEO of Experian North America. "We sincerely apologize for the concern and stress that this event may cause. That is why we're taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation."
This isn't the first time that Experian has suffered a security incident. One such past incident involved Experian subsidiary Court Ventures, which aggregates electronically available U.S. public records data, and which allowed a Vietnamese fraudster to buy personal information relating to 200 million people, which he then sold to cybercriminals (see ID Theft Case: Experian Faces Lawsuit). That incident triggered an investigation by multiple states' attorneys general, and a spokeswoman for Connecticut Attorney General George Jepsen tells Reuters that the state's investigation into the Court Ventures matter "is active and ongoing."
Executive Editor Mathew J. Schwartz also contributed to this story.