Data breach hits roughly 15M T-Mobile customers, applicants
A hack of Experian, the company that handles credit checks for the wireless carrier, results in the loss of T-Mobile customers' Social Security numbers, birth dates and names.
Roger ChengFormer Executive Editor / Head of News
Roger Cheng (he/him/his) was the executive editor in charge of CNET News, managing everything from daily breaking news to in-depth investigative packages. Prior to this, he was on the telecommunications beat and wrote for Dow Jones Newswires and The Wall Street Journal for nearly a decade and got his start writing and laying out pages at a local paper in Southern California. He's a devoted Trojan alum and thinks sleep is the perfect -- if unattainable -- hobby for a parent.
ExpertiseMobile, 5G, Big Tech, Social MediaCredentials
SABEW Best in Business 2011 Award for Breaking News Coverage, Eddie Award in 2020 for 5G coverage, runner-up National Arts & Entertainment Journalism Award for culture analysis.
Hackers stole the personal data of 15 million T-Mobile customers by going after the company that processes the wireless carrier's credit checks.
The company, Experian, said Thursday that it experienced a breach that nabbed customer data from September 1, 2013, to September 16, 2015. The stolen data includes names, birth dates, addresses, and Social Security and drivers' license numbers, but not credit card or payment information, Experian said.
Experian stores the data when it runs a check on customers' credit scores to determine whether they qualify for service and what promotions they're able to take advantage of. At risk from the breach is anyone who went through a credit check, whether an existing or former customer, or even an applicant who opted to switch right after the approval process.
"This data breach is certainly a big deal," said Jonathan Bowers, a fraud and data specialist at fraud prevention provider Trustev. "Give a fraudster your comprehensive personal information, they can steal your identity and take out lines of credit that destroy your finances for years to come."
T-Mobile CEO John Legere warned his customers in a tweet, blog post and frequently asked questions page. "Obviously I'm incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected," he said.
The 15 million people hit by the breach represent more than a quarter of Bellevue, Washington-based T-Mobile's 58.9 million customers, although some of the affected are no longer subscribers.
Experian, which is taking responsibility for the breach, said it's in the process of notifying customers who may be affected. Both existing and former customers would receive letters next week, according to a T-Mobile spokesman.
The company is offering two years of credit monitoring and identity protection services through ProtectMyID, which it owns. Any T-Mobile customers, regardless of whether they were affected, can take advantage of the offer here.
"It is not enough because the lasting effect can go on for more than two years," said Stephen Coty, chief security evangelist for security software provider Alert Logic.
An Experian spokesman said the fraud resolution service would be available for as long as customers need it.
"We take privacy very seriously and we understand that this news is both stressful and frustrating," said Craig Boundy, chief executive of Experian North America.
The company also warned customers to be wary of email and the like. Neither T-Mobile nor Experian will contact its customers to seek personal information in connection with the breach.
Updated at 7:13 p.m. and on Friday at 9:01 a.m. PT:To include analyst comments, additional background and information on those affected.