Update: T-Mobile has reached out and clarified that the breach affects current and former customers who went through a credit check. Anyone who did not go through a credit check is unaffected.
T-Mobile has confirmed this evening that as many as 15 million of its customers have been affected by a data breach. As the company is quick to point out, however, the breach did not occur on its servers, but rather its credit partner’s, Experian.
While Experian and T-Mobile both confirm that no credit card or banking information was compromised in the breach, a variety of other sensitive information was. Customer names, addresses, birthdates, Social Security numbers, and ID numbers were all leaked as part of the attack.
The attack affects approximately 15 million people who required a credit check when signing up for device financing through T-Mobile. Perhaps most notably, however, the vulnerability was open for more than two years, from September 1, 2013 though September 16, 2015.
T-Mobile says that it is offering two years of free credit monitoring to anyone who fears they could have been affected by the breach. T-Mobile CEO John Legere wrote in an open letter on the carrier’s website that he is “incredibly angry about this data breach” and that T-Mobile will be reevaluating its relationship with Experian.
[tweet https://twitter.com/JohnLegere/status/649716186482016256 align=’center’]
T-Mobile CEO on Experian’s Data Breach
I’ve always said that part of being the Un-carrier means telling it like it is. Whether it’s good news or bad, I’m going to be direct, transparent and honest.
We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.
Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.
Experian has assured us that they have taken aggressive steps to improve the protection of their system and of our data.
Anyone concerned that they may have been impacted by Experian’s data breach can sign up for two years of FREE credit monitoring and identity resolution services at www.protectmyID.com/securityincident. Additionally, Experian issued a press release that you can read here, and you can view their Q&A at Experian.com/T-MobileFacts.
T-Mobile’s team is also here and ready to help you in any way we can. We have posted our own Q&A here to keep you as informed as possible throughout this issue.
At T-Mobile, privacy and security is of utmost importance, so I will stay very close to this issue and I will do everything possible to continue to earn your trust every day.
FTC: We use income earning auto affiliate links. More.