Experian hacks T-Mobile users’ personal data

By SABRINA CHEN For The News-Letter

Hackers recently stole the personal details of up to 15 million T-Mobile United States customers through Experian, the world’s largest credit checking company.

Following the high profile corporate hack, Experian suffered its biggest one-day fall in over a year, with shares dropping more than four percent. The company holds data on millions of businesses and consumers and conducts billions of credit checks each year.

Experian has performed an increasing number of credit checks on behalf of T-Mobile in the past two years as the mobile network company has continued to grow. T-Mobile, the third largest mobile network in America, has threatened to cancel its contract with Experian.

“I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian,” John Legere, the chief executive of T-Mobile U.S., said in a letter to consumers on the T-Mobile site.

According to T-Mobile, the hackers acquired 15 million records, including new applications for credit checks and device financing from Sept. 1, 2013 through Sept. 16, 2015. The stolen records include personal details such as names, addresses, dates of birth, Social Security numbers and driver’s license identification numbers.

“The information that was exposed could lead to an increased risk of identity theft,” Experian stated in an FAQ. “Although we have no evidence suggesting your personal information has been misused, we take our obligation to help you protect your information very seriously, and deeply regret that this has happened.”

Experian said that it discovered the data theft from one of its servers on Sept. 15. The computer stored information for about 15 million people who applied for service with T-Mobile in the last two years.

Experian’s web of electronic connections to companies of all sizes, including T-Mobile, makes it particularly attractive to hackers. Experian said that defending its customers against cyber attacks has been a major focus of the company in recent years. The company is taking immediate action to secure the breached server and is also going forward with a comprehensive investigation. Experian will also formally notify U.S. and international law enforcement. Experian added that the breach luckily did not affect its vast consumer credit database.

Experian has planned to notify effected customers and, as compensation, will offer two years of free credit monitoring and identity resolution services. However, many customers said that they did not want additional credit protection from a company that had been breached.

“We take privacy very seriously and we understand that this news is both stressful and frustrating,” Craig Boundy, chief executive officer of Experian North America, said in a press release.

This is the second major breach linked to Experian. The first was an attack on the company in 2012 that exposed the Social Security numbers of 200 million Americans and prompted an investigation by at least four states.

Experian is not alone. Cyberattacks on large companies, such as Sony, Staples, Target and Home Depot, have become increasingly prevalent in the U.S. in the last couple of years. Carphone Warehouse in the United Kingdom revealed last August that personal details of up to 2.4 million customers may have been stolen. This information can be used by the hackers for the purposes of identity theft and other types of fraud.

Ron Arden, the vice president of Fasoo, a data and software security company, said that this hack should be viewed as a wake-up call for any business that provides third parties with access to sensitive customer data. He believes that T-Mobile should be responsible for protecting all sensitive data within its supply chain.

“Unless they did a security audit on those partners and are satisfied they will maintain sensitive data in a safe way, they are vulnerable,” Arden told eSecurityPlanet. “The service provider should apply strong encryption to the data that is controlled through persistent, dynamic security policies that can restrict its use to only authorized people.”