T-mobile/Experian Hack

What happened?

On Thursday, T-Mobile disclosed they suffered a data breach involving 15 million current, former and perspective customers’ personally identifiable information (PII).

The attack was a result of cybercriminals hacking into Experian, a credit reporting bureau and identity theft protection provider who partners with T-Mobile to process credit applications on their behalf. Credit applications are commonly required for financing devices and applying for service plans.

Experian said it discovered the hack of their servers on September 15 and immediately notified T-Mobile and law enforcement officials.

Exposed data includes the names, addresses, birth dates, Social Security numbers, driver’s license numbers and even passport numbers of individuals who applied for T-Mobile services between Sept. 1, 2013 and Sept. 16, 2015. Only customers who applied for credit with T-Mobile are at risk of exposure.

This stolen data, particularly the leaked Social Security numbers, can be used to commit identity crimes.

Last week, The U.S. Department of Justice’s Bureau of Justice Statistics reported that there were 17.6 million identity fraud victims in 2014.

This is the second massive data breach associated with Experian. Court Ventures exposed the Social Security numbers of 200 million Americans prior to being acquired by Experian. However, the perpetrator continued to siphon Social Security numbers from the service for nearly ten months following Experian’s purchase of Court Ventures in 2012.

T-Mobile’s CEO has been very public about his feelings towards their vendor and their involvement in the T-Mobile/Experian hack.

“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian,” T-Mobile’s CEO John Legere said in a note to customers. “But right now my top concern and first focus is assisting any and all consumers affected.”

T-Mobile is currently offering customers two years of complimentary credit monitoring and identity protection through ProtectMyID, an Experian-owned and operated company. The use of Experian, the company who first exposed their data, angered many customers who took to social media demanding a more secure alternative. Legere responded via Twitter, promising to seek alternative service providers.

Since the disclosure of the T-Mobile/Experian hack, the Attorney General of Connecticut has already announced an impending investigation into the incident.

What should you do?

Those customers who obtained credit through T-Mobile are urged to take the following precautionary measures to reduce their risks of identity crimes.

Review your credit report
Social Security numbers exposed in the T-Mobile/Experian hack may be used to open new lines of credit in your name. Catch identity theft early by reviewing your credit report for unfamiliar accounts. Consumers are entitled to one free credit report a year from all three credit bureaus (Experian, Transunion and Equifax) when they visit AnnualCreditReport.com.

Prevent fraudulent credit being opened in your name
By placing a fraud alert on your credit file, a business cannot issue credit in association with your information without first verifying your identity. That means no one could simply walk into a store and get an immediate line of credit. You would receive a letter in the mail first.

Enroll in complimentary identity protection services
You may enroll in two years of complimentary credit monitoring and identity protection services via ProtectMyID by visiting ProtectMyID.com/securityincident. Enrollment information will also be sent via mail. T-Mobile plans to announce an alternative provider to accommodate those with security concerns. Fighting Identity Crimes will keep you updated as more information becomes available.

Watch for spam or phishing attempts via phone or email
Many breaches are followed by related phishing attacks. Experian and T-Mobile will not send you breach-related information via email, phone or other online communication. Find more information on spotting a phishing scam.

Keep your passport securely stored
In the case of the T-Mobile/Experian hack, the exposure of passport numbers alone does not pose a significant risk to your identity; however, it does provide a valuable reminder that passports are brimming with PII. Make sure to keep your physical passport securely stored and be cautious when providing passport information to unverified parties.