T-Mobile US said Thursday that approximately 15 million people may be victims of a cyberattack on one of its vendors, Experian credit-services company.
John Legere, CEO of Bellevue-based T-Mobile, said in a public letter that the hacked records include those of credit applicants from Sept. 1, 2013 through Sept. 16, 2015, who required a credit check for T-Mobile service or device financing.
What you should know and can do
• The breach may affect 15 million people who applied for T-Mobile’s postpaid service or device financing from Sept. 1, 2013 to Sept. 16, 2015.
• Experian is mailing letters to anyone whose information may have been accessed. The letters should be received by Nov. 30.
• The information involved includes names, birth dates, addresses, Social Security numbers and/or driver’s license numbers, as well as information used in T-Mobile’s own credit assessment.
• No payment card or banking information is involved.
• Experian is providing two years of free credit-monitoring and identity-theft-protection services. That protection is available at www.protectmyID.com/securityincident. Sign-ups begin now.
• Experian and T-Mobile will not call or email and ask for sensitive information.
The records involved in the breach include name, address and birth date, as well as encrypted fields with Social Security numbers or ID numbers (such as driver’s license or passport) and additional information used in T-Mobile’s own credit assessments, Legere said. Payment-card numbers or bank-account information are not included.
Experian is the company Mountlake Terrace-based Premera used when it offered two years of free credit monitoring to the 11 million people affected by a cyberattack announced in March against the health insurer. The same service is now also being offered to people affected in the breach of T-Mobile data.
Experian said the breach does not extend to its consumer-credit bureau and its ability to offer credit monitoring has not been compromised.
“This was an isolated incident of one server and one client’s data,” the company said in a question-and-answer posting about the incident.
In response to customer concerns about using Experian for credit monitoring, Legere tweeted Thursday afternoon, “I hear you re: Experian as service-protection option. I am moving as fast as possible to get an alternate option in place by” Friday.
Experian said in the Q&A that it discovered the attack Sept. 15, but it did not say when the attack initially took place. The company is continuing to investigate and monitor its systems and is working with domestic and international law enforcement.
“We take privacy very seriously and we understand that this news is both stressful and frustrating,” Craig Boundy, chief executive officer of Experian North America, said in a statement. He said the company is moving “to provide protection and support to those affected by this incident.”
The company said it does not have evidence that the T-Mobile information has been used “inappropriately,” and that T-Mobile’s systems and network were not part of the breach.
This cyberattack is the latest in a series of breaches affecting companies from Target and Home Depot to insurance companies and the federal Office of Personnel Management.
Seattle-based cybersecurity consultant Bryan Seely rates the breach as a 7 on a scale of 1 to 10.
“Fifteen million Social Security numbers, names, addresses — that is not credit-card numbers,” he said. “When Target had a breach, people were reissued cards. You can’t reissue Socials that easily.”
He said having that personal information stolen puts people forever at risk of fraudulent tax returns and identity theft, not just during two years of monitoring, which has become the standard offer after breaches.
But a credit-monitoring offer from the same company that had a data breach, he said, is akin to hiring some guy across the street from your home to tell you if your house is on fire or not.