Data breach hits roughly 15M T-Mobile customers, applicants

A hack of Experian, the company that handles credit checks for the wireless carrier, results in the loss of T-Mobile customers' Social Security numbers, birth dates and names.

Roger Cheng Former Executive Editor / Head of News
Roger Cheng (he/him/his) was the executive editor in charge of CNET News, managing everything from daily breaking news to in-depth investigative packages. Prior to this, he was on the telecommunications beat and wrote for Dow Jones Newswires and The Wall Street Journal for nearly a decade and got his start writing and laying out pages at a local paper in Southern California. He's a devoted Trojan alum and thinks sleep is the perfect -- if unattainable -- hobby for a parent.
Expertise Mobile, 5G, Big Tech, Social Media Credentials
  • SABEW Best in Business 2011 Award for Breaking News Coverage, Eddie Award in 2020 for 5G coverage, runner-up National Arts & Entertainment Journalism Award for culture analysis.
Roger Cheng
3 min read

T-Mobile CEP John Legere said he was "incredibly angry" about a data breach at the company that processes the wireless carrier's credit checks.
T-Mobile CEO John Legere said he was "incredibly angry" about a data breach at the firm that handles the carrier's credit checks. Eduardo Munoz/Reuters/Corbis

Hackers stole the personal data of 15 million T-Mobile customers by going after the company that processes the wireless carrier's credit checks.

The company, Experian, said Thursday that it experienced a breach that nabbed customer data from September 1, 2013, to September 16, 2015. The stolen data includes names, birth dates, addresses, and Social Security and drivers' license numbers, but not credit card or payment information, Experian said.

Experian stores the data when it runs a check on customers' credit scores to determine whether they qualify for service and what promotions they're able to take advantage of. At risk from the breach is anyone who went through a credit check, whether an existing or former customer, or even an applicant who opted to switch right after the approval process.

The breach marks the latest high-profile compromising of personal data, a list that includes the US government losing the information of 4 million federal workers and health insurer Excellus BlueCross BlueShield seeing 10 million health records exposed. Last year, Home Depot and Target were among the major companies hit by hackers in what has become increasingly dangerous cyberwaters.

"This data breach is certainly a big deal," said Jonathan Bowers, a fraud and data specialist at fraud prevention provider Trustev. "Give a fraudster your comprehensive personal information, they can steal your identity and take out lines of credit that destroy your finances for years to come."

T-Mobile CEO John Legere warned his customers in a tweet, blog post and frequently asked questions page. "Obviously I'm incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected," he said.

The 15 million people hit by the breach represent more than a quarter of Bellevue, Washington-based T-Mobile's 58.9 million customers, although some of the affected are no longer subscribers.

Experian, which is taking responsibility for the breach, said it's in the process of notifying customers who may be affected. Both existing and former customers would receive letters next week, according to a T-Mobile spokesman.

The company is offering two years of credit monitoring and identity protection services through ProtectMyID, which it owns. Any T-Mobile customers, regardless of whether they were affected, can take advantage of the offer here.

"It is not enough because the lasting effect can go on for more than two years," said Stephen Coty, chief security evangelist for security software provider Alert Logic.

An Experian spokesman said the fraud resolution service would be available for as long as customers need it.

"We take privacy very seriously and we understand that this news is both stressful and frustrating," said Craig Boundy, chief executive of Experian North America.

The company also warned customers to be wary of email and the like. Neither T-Mobile nor Experian will contact its customers to seek personal information in connection with the breach.

Updated at 7:13 p.m. and on Friday at 9:01 a.m. PT: To include analyst comments, additional background and information on those affected.