15 Million People Hacked in T-Mobile Vendor Data Breach

Illustration for article titled 15 Million People Hacked in T-Mobile Vendor Data Breach

T-Mobile customers should be on alert: Hackers stole the personal information of around 15 million people, including Uncarrier users, from its credit reporting agency, Experian. The stolen data including social security numbers, addresses, and phone numbers.


Customers who signed up for T-Mobile recently are most at risk—people who joined between September 1, 2013 and September 16, 2015 may be among the hack targets.

T-Moblie CEO John Legere has confirmed the breach and is offering two years of credit monitoring for people who think they may be affected. Here’s his full letter:

I’ve always said that part of being the Un-carrier means telling it like it is. Whether it’s good news or bad, I’m going to be direct, transparent and honest.

We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.

Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.

Experian has assured us that they have taken aggressive steps to improve the protection of their system and of our data.

Anyone concerned that they may have been impacted by Experian’s data breach can sign up for two years of FREE credit monitoring and identity resolution services at www.protectmyID.com/securityincident. Additionally, Experian issued a press release that you can read here, and you can view their Q&A at Experian.com/T-MobileFacts.

T-Mobile’s team is also here and ready to help you in any way we can. We have posted our own Q&A here to keep you as informed as possible throughout this issue.

At T-Mobile, privacy and security is of utmost importance, so I will stay very close to this issue and I will do everything possible to continue to earn your trust every day.

[New York Times]


Wait.....Experian was hacked, but ONLY for T-Mobile users?

Bets on this getting much bigger, MUCH quicker. I mean, I get this is being called contained by Experian to T-Mobile, but anyone with any server and db sense can see where this is going. Yes, yes, I get they are stating it was not the consumer database. What they are NOT saying is if any other client “containers” was accessed. The only reason they wouldn’t clarify that specifically is because they are covering their asses.

My guess is that the server(s) handling the T-Mobile customers are part of a larger network of servers handling all requests for credit checks, because once you are into one, you pretty much can get access to all. In other words, databases and app servers that do credit checks would basically run the same software. The only difference is customers of Experian, like T-Mobile, would in essence “rent” a server to do the legwork. The server(s) they would rent would be in the same farm, perfoming the same function as those for say....Best Buy(example ONLY) that would be doing credit checks as well. Likely a VM farm. All the same, only the customers are different. So....once into one, into them all. Just a matter of exploiting the same weaknesses.