“In the wake of a massive data breach affecting Experian’s computers holding 15 million files of T-Mobile customers and applicants, we question why the firms are offering credit monitoring instead of paying to place credit, or security, freezes on all three of each victim’s credit reports. Only the security or credit freeze, available in any state, stops new account identity theft.Potential victims should freeze all of their “Big 3” credit reports from Experian, Equifax and TransUnion.
Reports indicate Experian lost data for 15 million customers and applicants of the wireless phone company T-Mobile, including names, addresses and birth dates and social security numbers, among other information breached from the consumer files.
First, this breach of 15 million records through an Experian server is completely outrageous, since credit bureaus are subject to very high security standards but losing Social Security Numbers — the keys to new account identity theft – makes this breach much worse. That’s why placing security freezes is the only way to guarantee consumers peace of mind.
Worse, Experian, which lost the data, has offered its own branded “Protectmyid” credit monitoring. While reports indicate that T-Mobile is not happy and will offer an alternate credit monitoring service, that doesn’t solve the underlying problem:credit monitoring tells you only after you’ve been victimized. Only the freeze blocks a thief from obtaining new credit accounts in your name. Placing a freeze on all three of your credit reports prevents new account financial identity theft but credit monitoring does not.
We will have further comments on this developing story. We will also be asking the CFPB, FTC, Department of Justice and state attorneys general to investigate how Experian, subject to very high standards for the security of its own credit reports, had such a sloppy system for protecting T-Mobile customer data. How can all of the 200 million consumers with Experian credit reports trust that Experian really is protecting them?”
Statement of PIRG Consumer Program Director Ed Mierzwinski on Letter to Regulators Urging Investigation of Experian/T-Mobile Data Breach
“The breach of 15 million T-Mobile customer and applicant records by a subsidiary of the national credit reporting agency Experian is troubling. Our group letter from over 25 national and state consumer privacy organizations asks the CFPB and FTC for a full investigation. Here are just a few of the questions we raise:
If the server holding the T-Mobile files was subject to fewer security protections than the full Experian credit reporting database, why? If it was subject to the same protections as the credit reporting server, doesn’t this raise the troubling possibility that the server holding highly sensitive credit and personal information of over 200 million Americans is vulnerable to a data hack by identity thieves?
Since credit monitoring, which has been offered to victims by the firms, doesn’t stop new account identity theft, Is there any authority for the CFPB to require the nationwide CRAs to provide free security freezes to affected consumers?”
T-Mobile CEO on Experian’s Data Breach
I’ve always said that part of being the Un-carrier means telling it like it is. Whether it’s good news or bad, I’m going to be direct, transparent and honest.
We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.
Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.
Experian has assured us that they have taken aggressive steps to improve the protection of their system and of our data.
Anyone concerned that they may have been impacted by Experian’s data breach can sign up for two years of FREE credit monitoring and identity resolution services at www.protectmyID.com/securityincident. Additionally, Experian issued a press release that you can read here, and you can view their Q&A at Experian.com/T-MobileFacts.
T-Mobile’s team is also here and ready to help you in any way we can. We have posted our own Q&A here to keep you as informed as possible throughout this issue.
At T-Mobile, privacy and security is of utmost importance, so I will stay very close to this issue and I will do everything possible to continue to earn your trust every day.
Sincerely,
Statement From Experian
Unauthorized Acquisition of Personal Information
On Sept. 15, 2015 Experian discovered an unauthorized party accessed T-Mobile data housed in an Experian server.
Experian’s consumer credit database was not accessed in this incident, and no payment card or banking information was obtained.
Based on Experian’s investigation to date, the unauthorized access was an isolated incident over a limited period of time. It included access to a server that contained identifying information for some organizations and, primarily, personal information for individuals, including some current customers, and also consumers who applied for T-Mobile USA postpaid service or device financing, which require a credit check, from Sept. 1, 2013 through Sept. 16, 2015.
Records containing a name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T-Mobile’s own credit assessment were accessed. No payment card or banking information was obtained.
Experian notified appropriate federal and international law enforcement agencies and has taken additional security steps to help prevent future incidents.
We continue to investigate the theft, closely monitor our systems, and work with domestic and international law enforcement. Investigation of the incident is ongoing.
Experian is notifying the individuals who may have been affected and is offering free credit monitoring and identity resolution services for two years. In addition, government agencies are being notified as required by law.
Although there is no evidence at this time that the data has been used inappropriately, Experian strongly encourages affected individuals to enroll in the complimentary identity resolution services.
Leave a Reply
You must be logged in to post a comment.