The world's biggest consumer credit monitoring agency Experian has suffered a major data breach that has seen hackers steal the personal data of 15 million T-Mobile USA customers. The hack affects the records of all existing customers, as well as new applicants who applied for a mobile contract between 1 September 2013 and 16 September 2015. It is standard policy for T-Mobile to submit customer details to Experian to perform a credit check before any post-paid contract services or device financing is granted.
Experian, which discovered that its servers had been hacked on 15 September, confirmed that the data stolen by the hackers includes full names, dates of birth, addresses and, most worryingly, social security numbers, as well as drivers' license numbers, passport numbers and military IDs, which were used as an alternative form of ID. However, the agency confirmed that the hack did not affect its consumer credit database, and that no payment card or banking information was stolen.
"We take privacy very seriously and we understand that this news is both stressful and frustrating. We sincerely apologise for the concern and stress that this event may cause," said Experian North America's CEO Craig Boundy.
"That is why we're taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation."
In conjunction with the press statement released by Experian, T-Mobile USA's chief executive John Legere penned an open letter to T-Mobile customers, in which he confirmed the data breach and stressed that the mobile operator is now working to take protective steps with all of the affected consumers as quickly as possible.
"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously," he wrote in a letter linked directly to T-Mobile's homepage.
"This is no small issue for us. I do want to assure our customers that neither T-Mobile's systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information."
T-Mobile US is now offering all T-Mobile customers two years' worth of free credit monitoring and identity resolution services with Protect My ID. Ironically, during the major data breach that affected US retailer Target's cash registers in December 2013, Target offered its customers one year of free credit monitoring and identity theft protection with Experian.
Second Experian data breach to date
This is the second data breach to have happened to Experian, which is one of the three big credit reporting agencies in the US and holds credit data on hundreds of millions of US citizens and residents. In 2012, a Vietnamese hacker called Heiu Minh Ngo gained access to private data belonging to 200 million consumers owned by a firm called Court Ventures, and the hacker than sold access to this database to 1,300 criminals who wanted to commit identity theft.
Experian purchased Court Ventures in March 2012, but it failed to notice what was going on in its subsidiary for another nine months until the US Secret Service alerted the firm. Ngo is now in prison, but ongoing lawsuits relating to the data breach continue to dog the agency to this day.