T-Mobile Credit Hacking Stole 15 Million Customers’ Data

If you applied for service from T-Mobile in the last couple years, you might want to keep a sharp eye out for identity theft, because your personal information may be in the hands of hackers. The data breach, which involved credit reporting agency Experian, resulted in the theft of data pertaining to 15 million T-Mobile customers.

Experian revealed via press release that one of its servers was compromised last month. According to the press release, the breach resulted in the theft of T-Mobile customer data that was obtained and stored between September 1, 2013, and September 16, 2015.

In addition to basic information, like names and birth dates, the hackers also obtained sensitive data like social security numbers and drivers’ license numbers. According to the Experian press release, no credit card information was obtained.

T-Mobile CEO John Legere was not pleased with the announcement. In a public statement, he expressed his anger with Experian and outlined the protective measures that victims of the data breach can take. He also vowed to review T-Mobile’s relationship with the credit reporting agency.

“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian,” Legere said via the statement issued on the T-Mobile website. “I take our customer and prospective customer privacy VERY seriously.”

Legere also hit Twitter to perform damage control. According to the T-Mobile CEO, not all of the data belonged to T-Mobile customers, and Experian is required to notify each victim individually.

.@johnbyrnetics second step in response – corrections. It’s actually 15M credit applicants. Not all are known TMO customers.

— John Legere (@JohnLegere) October 1, 2015

Legere has also promised additional alternatives to the free credit monitoring available via the public statement that he issued on the T-Mobile website.

.@csoghoian Trust me, I get it. We’ll have an alternative option tomorrow.

— John Legere (@JohnLegere) October 1, 2015

Since the hacking didn’t involve T-Mobile’s servers, victims may be wondering why Experian had their sensitive personal data in the first place. According to CNET, T-Mobile transmits the data to Experian whenever a prospective customer applies for post-paid service. Experian then uses the data to run a credit check, which T-Mobile uses to determine whether the individual qualifies for service.

According to CNET, the credit hack impacts over 25 percent of T-Mobiles entire customer base. However, T-Mobile CEO John Legere claims that only some of the victims were customers of the mobile carrier. It isn’t clear whether the rest applied for service and didn’t go through with the transaction, or if the hack involved data from another company altogether.

It also isn’t clear why Experian stores the data instead of trashing it. Experian claims that the data was encrypted, which is good, but the credit reporting agency believes the encryption was also compromised.

Update: According to Legere, Experian was legally required to hang on to the data.

@Burgertoasted legal requirement

— John Legere (@JohnLegere) October 2, 2015

According to the Experian press release, the credit reporting agency “takes privacy very seriously.”

“We take privacy very seriously and we understand that this news is both stressful and frustrating. We sincerely apologize for the concern and stress that this event may cause,” Craig Boundy, Chief Executive Officer of Experian North America, said via the press release. “That is why we’re taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation.”

Experian is taking the blame for the hack, but T-Mobile has also offered help for victims of the breach.

If you applied for post-paid service from T-Mobile between the dates of September 1, 2013, through September 16, 2015, your data may have been compromised. Experian has offered free credit monitoring services through ProtectMyID, which the credit reporting agency owns.

The offer is not limited to T-Mobile customers. If you certify that you applied for T-Mobile service within the time period affected by the hack, you will be eligible for the offer, regardless of whether you signed up or not.

While T-Mobile has indicated that additional options will be available to victims of the hack, the details are not yet available.

[Photos by John Moore and Michael Loccisana / Getty Images Entertainment]