Experian has disclosed that a data breach stretching over two years compromised the personal information of about 15 million T-Mobile subscribers who had applied for credit.
The credit bureau said hackers had stolen data including names, addresses, and dates of birth, as well as encrypted social security numbers, from a computer server. Its consumer credit database was not affected.
T-Mobile had sent the data to Experian so it could perform credit checks on potential customers who sought financing for phones or cellular plans from Sept. 1, 2013 through Sept.16, 2015.
Although there is no evidence to date that the data has been used inappropriately, Experian strongly encouraged affected consumers to accept its offer of two years of credit monitoring and identity resolution services.
“We take privacy very seriously and we understand that this news is both stressful and frustrating,” Experian North America’s chief executive Craig Boundy said in a news release. “We sincerely apologize for the concern and stress that this event may cause.”
T-Mobile’s CEO John Legere said the cell phone vendor was working with Experian to take protective steps for all affected consumers as quickly as possible.
“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” Legere wrote in a letter to consumers. “Experian has assured us that they have taken aggressive steps to improve the protection of their system and of our data.”
Experian said the hackers may have cracked its encryption to access the T-Mobile customer information.
“As massive data breaches go, it could be worse: Experian and T-Mobile have both said that the hacked files didn’t include any credit card or banking data,” Wired reported. “Even so, the hoard of T-Mobile customer data can still be used for assembling profiles for identity theft.”
Experian’s data security is the focus of a class-action lawsuit over a breach through which a Vietnamese identity theft service accessed more than 200 million customers’ data last year.