Hackers stole the personal data of 15 million T-Mobile customers by going after the company that processes the wireless carrier's credit checks.
The company, Experian, said Thursday that it experienced a breach that nabbed customer data from September 1, 2013, to September 16, 2015. The stolen data includes names, birth dates, addresses, and Social Security and drivers' license numbers, but not credit card or payment information, Experian said.
Experian stores the data when it runs a check on customers' credit scores to determine whether they qualify for service and what promotions they're able to take advantage of. At risk from the breach is anyone who went through a credit check, whether an existing or former customer, or even an applicant who opted to switch right after the approval process.
The breach marks the latest high-profile compromising of personal data, a list that includes the US governmentand health insurer Excellus BlueCross BlueShield . Last year, Home Depot and Target were among the major companies hit by hackers in what has become increasingly dangerous cyberwaters.
"This data breach is certainly a big deal," said Jonathan Bowers, a fraud and data specialist at fraud prevention provider Trustev. "Give a fraudster your comprehensive personal information, they can steal your identity and take out lines of credit that destroy your finances for years to come."
T-Mobile CEO John Legere warned his customers in a tweet, blog post and frequently asked questions page. "Obviously I'm incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected," he said.
The 15 million people hit by the breach represent more than a quarter of Bellevue, Washington-based T-Mobile's 58.9 million customers, although some of the affected are no longer subscribers.
Experian, which is taking responsibility for the breach, said it's in the process of notifying customers who may be affected. Both existing and former customers would receive letters next week, according to a T-Mobile spokesman.
The company is offering two years of credit monitoring and identity protection services through ProtectMyID, which it owns. Any T-Mobile customers, regardless of whether they were affected, can take advantage of the offer here.
"It is not enough because the lasting effect can go on for more than two years," said Stephen Coty, chief security evangelist for security software provider Alert Logic.
An Experian spokesman said the fraud resolution service would be available for as long as customers need it.
"We take privacy very seriously and we understand that this news is both stressful and frustrating," said Craig Boundy, chief executive of Experian North America.
The company also warned customers to be wary of email and the like. Neither T-Mobile nor Experian will contact its customers to seek personal information in connection with the breach.
Updated at 7:13 p.m. and on Friday at 9:01 a.m. PT: To include analyst comments, additional background and information on those affected.