On Thursday T-Mobile revealed that hackers had breached Experian’s network and stolen a trove of T-Mobile’s data, which the carrier had sent to Experian to perform credit checks on potential customers seeking financing for phones or cellular plans. The data stolen from those 15 million victims includes their names, addresses, and birthdates, as well as encrypted social security numbers, drivers’ license ID numbers, and passport ID numbers. Both companies note that encryption may have been cracked by the intruders—Experian didn’t respond to a question from WIRED as to what sort of encryption was used. Finally, the two firms note that “additional information used in T-Mobile’s own credit assessment” may have also been breached, but neither responded to a request for comment on what that “additional information” entailed.
“I take our customer and prospective customer privacy VERY seriously. This is no small issue for us,” T-Mobile’s CEO John Legere wrote in a statement. “Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected.”
Experian’s breach, according to the two companies, includes customers who had applied for financing as recently as September 16. But it stretches back just over two years. Experian has said it’s notifying all victims by mail, and offering them two years of credit monitoring. Anyone who believes their data was included in the breach can sign up for that monitoring here.
The danger in any breach of a data broker like Experian, of course, is that the company aggregates information on many millions of consumers for credit checks and marketing. The resulting hacker bullseye includes private data that goes well beyond any single corporate client’s consumers. Experian didn’t respond to WIRED’s request for further comment on whether other individuals’ data beyond the T-Mobile customers had also been accessed in its intrusion.
How Serious Is This?
As massive data breaches go, it could be worse: Experian and T-Mobile have both said that the hacked files didn’t include any credit card or banking data. Even so, the hoard of T-Mobile customer data can still be used for assembling profiles for identity theft.
Though the breach will no doubt ding the reputations of both companies, T-Mobile is taking pains to pin the blame squarely on Experian. “Experian has taken full responsibility for the theft of data from its server,” reads an FAQ on T-Mobile’s website. “Our vendors are contractually obligated to abide by stringent privacy and security practices, and we are extremely disappointed that hackers could access the Experian network.”
The theft of T-Mobile’s customer details is hardly the first time hackers have hit a data broker, as fraudsters hone their attacks on ever-more centralized repositories of personal information. Experian itself allowed a Vietnamese identity theft service to access more than 200 million customers’ data just last year. And the year before, hackers hit credit agency Equifax and tried to sell the credit history data of celebrities, politicians, and even first lady Michelle Obama.
This latest breach is unusual only in that Experian’s insecurity has dragged T-Mobile into its privacy scandal. Perhaps that corporate collateral damage can send a message to other potential partners of data brokers: If consumers can’t pressure data aggregators like Experian into securing their secrets, perhaps the consumer-facing companies who collect that information can.