Experian hacked, but it's 15 million T-Mobile customers who are put at risk

T-Mobile CEOT-Mobile's CEO says he is "incredibly angry".

The reason? Hackers have stolen information about 15 million people - all of whom had interacted with T-Mobile either as customers or potential customers.

Innocent users have had personal information such as their name, address, and date of birth exposed to the criminals. In addition, encrypted fields in the hacked databases including "social security number and ID number (such as driver’s license or passport number)" may be at risk.

That's reason enough for T-Mobile CEO John Legere to very angry. But imagine his apoplexy when he realises that the hackers didn't breach T-Mobile's computer systems, but those of Experian, one of the largest data brokers and credit agencies in the world - tasked with credit-checking T-Mobile's users.

You can read more about John Legere's annoyance in a blog post on T-Mobile's site, pointedly entitled "T-Mobile CEO on Experian's Data Breach." (my emphasis)

T-Mobile statement by CEO

We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.

Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.

Clearly, the most important victims here are the T-Mobile users who have had their personal details exposed through no fault of their own, and are potentially running the risk of identity theft.

But you can't help but feel some sympathy with T-Mobile too. Their own computer systems don't appear to have been hacked. They trusted a well-known third party company to take proper care of their customers' data, and - although we don't know the details yet of just how things went so badly wrong - clearly there was a failure.

And yet it's T-Mobile's name which will be dragged through the mud. Their reputation which will be harmed the most in the public's consciousness. Maybe they'll lose some customers.

There's no wonder T-Mobile's CEO is "incredibly angry". And no surprise that T-Mobile is keen to emphasise that this was "Experian's data breach.":

Anyone concerned that they may have been impacted by Experian’s data breach can sign up for two years of FREE credit monitoring and identity resolution services at www.protectmyID.com/securityincident. Additionally, Experian issued a press release that you can read here, and you can view their Q&A at Experian.com/T-MobileFacts.

In its press release about the data breach, Experian's CEO apologised to affected individuals:

"We take privacy very seriously and we understand that this news is both stressful and frustrating. We sincerely apologize for the concern and stress that this event may cause," said Craig Boundy, Chief Executive Officer, Experian North America. "That is why we're taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation."

Good of them to apologise. It's surprising how often following a hack companies are adverse to using words like "sorry" and "apology" - presumably under the advice of the legal department.

(Visited 1,058 times, 1 visits today)

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

7 Responses

  1. JustinCredible

    October 2, 2015 at 12:01 pm #

    This is incredible. All your data is stolen, so you go to this "credit monitoring" site and enter all your data. And they haven't even registered variants of the name (e.g. protectmy1d.com).

    I smell a phishing expedition! This may add salt to the wound…

    • JustinCredible in reply to JustinCredible.

      October 2, 2015 at 1:54 pm #

      Oh, and it looks like there's an anonymous Chinese whois proxy registration for protectnyid.com. I need popcorn…

  2. graphicequaliser

    October 2, 2015 at 12:45 pm #

    Well, I just went onto Experian's site to take up their offer, and after agreeing I was an affected T-Mobile customer (I'm not BTW), it took me to their HTTPS site asking for my personal details. However, it seems they DO NOT LEARN! That site is using an obsolete RSA cipher for encryption (according to Chrome browser), and that is totally unacceptable, especially in the wake of what they have just leaked. If I can ensure that my https site uses modern ciphers with an afternoon's Apache conf tweaks, then why can't they?

  3. Gabor Szathmari

    October 2, 2015 at 3:26 pm #

    Mr. Legere forgot that you cannot outsource risk to a third-party. Even though the credit checks have been outsourced, the responsibility for the customers' data remains at T-Mobile.

    So instead of holding Experian responsible for the data breach in the press release, just apologise and take the blame because of the poor third-party management practices.

  4. Tom Borgman

    October 2, 2015 at 4:23 pm #

    Am I right in thinking that this is T-Mobile USA and only the T-Mobile USA customers who's data was stolen? The editorial doesn't make that clear.

  5. David G

    October 3, 2015 at 11:02 am #

    This will continue to happen until the risk of financial ruin is greater than the risk of disclosing private data through poor practice. Sadly, the financial consequences to the individual who has had their details disclosed will never add up to more than petty cash. It needs class action – or the authorities to take a tough line. If we are waiting on the latter, then i'm heading to hell with a thermometer.

  6. Gigi

    October 23, 2015 at 12:52 pm #

    Suspiciously, soon after t-mobile announced the hacking incident, and I am a person who is included in the T-mobile hacking group, my computer was hacked. I was locked out of my gmail account and then got a blue screen with instructions to call a number. Instead I called Google and a tech informed me I was hacked all right. The nightmare continued as I scurried to change passwords contact everyone including Experian. I am power of attorney on an estate and everything was at risk. My computer has been wiped and cleaned but my information is still in thieves hands this has cost me money and time. I'm angry and what recourse do I have? I think the above comment is correct, maybe class action will shake up those who require our complete identity and then are unable to protect it from theft.

Leave a Reply