Experian Blamed After 15m T-Mobile Customer Details Are Stolen

T-Mobile has angrily hit out at credit agency Experian after uncovering a hack that compromised the personal details of 15 million of its US customers.

Data lifted by hackers includes names, birth dates and social security numbers, but no financial details, the mobile operator said.

Experian was being used by T-Mobile USA to process information on subscribers over a two year period, meaning many more customers could still be at risk.

“Incredibly Angry”

The CEO of T-Mobile USA John Legere (pictured left) has reacted angrily to the news that his customer details were compromised.

“We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people,” Legere said in a statement.

“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” he added.

“I take our customer and prospective customer privacy VERY seriously,” he said. “This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.

He explained that Experian has “taken aggressive steps” to improve the protection of its system and of T-Mobile data, but said that anyone concerned can sign up for two years of FREE credit monitoring and identity resolution services.

“At T-Mobile, privacy and security is of utmost importance, so I will stay very close to this issue and I will do everything possible to continue to earn your trust every day,” said Legere.

Sincerely Apologize

Experian described the hack as an “unauthorised acquisition of personal data” in its statement on the matter.

It said that on 15 September, Experian discovered an unauthorised party had accessed T-Mobile data housed in an Experian server. It claimed that the hack was an isolated incident over a limited period of time, and the compromised data contained personal information for consumers who applied for T-Mobile USA postpaid services between 1 September 2013 and 16 September 2015.

It said it has “notified appropriate federal and international law enforcement agencies and has taken additional security steps to help prevent future incidents.” It is also notifying the individuals who may have been affected and is offering free credit monitoring and identity resolution services for two years.

“We take privacy very seriously and we understand that this news is both stressful and frustrating,” said Craig Boundy, CEO of Experian North America in a separate press release. “We sincerely apologize for the concern and stress that this event may cause.”

“That is why we’re taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation,” he added.

Data First

Some experts are warning that organisations need to rethink their security approaches.

“This incident highlights the need for a data-centric approach to securing sensitive information.  Institutions are facing sophisticated, well-organised adversaries engaged in what has become a lucrative crime,” explained Chris Smith, VP at data protection specialists Privitar.

“Gone are the days when setting up perimeter security, encryption, and access controls for personal data were considered sufficient to prevent the mishandling or theft of data,” said Smith. “With so much at stake, the way companies manage and process data has had a direct impact on brand and customer loyalty along with severe regulatory implications.

“Companies must invest in modern techniques to ensure privacy-preserving algorithms travel with the data so that it is de-sensitised and of no value if it falls into the wrong hands,” concluded Smith. “By making the data worthless to a hacker, you remove the incentive all together.”

His comments come after earlier this week the Information Commissioners Office (ICO) revealed that it receives two complaints every day from consumers angry at businesses for not protecting their data.

In the summer a report revealed the scale of distrust that now exists between consumers and big businesses about people’s personal data. It found that 60 percent of consumers admitted they were uncomfortable sharing personal data. Indeed, 14 percent of consumers now refuse to share any personal data at all, and many supply firms with false data.

Are you a data breach expert? Take our quiz to find out!