Experian breach may have exposed 15 million T-Mobile records

Elizabeth Weise | USA TODAY

SAN FRANCISCO — A hacker has acquired the records of 15 million T-Mobile customers and people who had applied for credit, the company reported Thursday.

The breach, which affected two years worth of records,occurred at Experian, the vendor that processes T-Mobile's credit applications, T-Mobile CEO John Legere said in a post on the site.

Experian North America said in a notice that one of its business units was compromised, but that its consumer credit bureau was not affected.

Experian has notified both U.S. and international law enforcement. Experian North America's parent company, Experian is headquartered in Dublin, Ireland.

"The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015," Legere wrote.

"The data set was for applicants and customers of T-Mobile who applied for service over that two year period," said Experian spokeswoman Susan Henson.

The breach happened approximately two weeks ago. It "was discovered within two days, secured immediately, comprehensive forensic investigation launched (and still continuing) and we announced it today to quickly notify consumers. Our notification to state attorneys’ general happens tomorrow," Henseon said.

In a refreshing change from the corporate-speak often used by CEOs whose businesses are breached, T-Mobile's Legere stayed true to form with his directness.

"Obviously I am incredibly angry about this data breach," he said, saying he would conduct a "thorough review" of his company's relationship with Experian but that his top concern for now was "assisting any and all consumers affected."

The compromised information includes customers' names, addresses and birth dates as well as encrypted fields with Social Security number and ID number, which could be a driver’s license or passport number.

Experian told T-Mobile the encryption protecting those numbers may have been compromised, Legere said.

Experian and T-Mobile have set up two years of free credit monitoring and identity resolution services for compromised customers. Ironically, the service is being offered through Experian's own credit monitoring service.

Experian cautioned consumers that under no circumstances would either Experian or T-Mobile call them or send them messages asking for personal information in connection with the breach.

"You may go to the website, but you should not provide personal information to anyone who calls you or sends you a message about this incident," Experian said in a statement.

Follow USA TODAY reporter Elizabeth Weise on Twitter: @eweise.