Hackers make off with Experian credit data of 15 million T-Mobile customers

US chief exec says business relationship with credit agency under review

Fifteen million sets of T-Mobile customer data have been stolen after a data breach at credit agency Experian.

Stolen details include names, birth dates, social security information including driver's licences and passport numbers, though apparently not financial details, both T-Mobile and Experian have confirmed.

Apparently, T-Mobile subscribers who were credit-checked between early and mid-September are at most risk.

The breach has already called into question the ongoing business relationship between T-Mobile and Experian.

"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian," T-Mobile CEO John Legere said in a rapid-response blog.

"I take our customer and prospective customer privacy VERY seriously," he continued.

"This is no small issue for us. I do want to assure our customers that neither T-Mobile's systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information."

It was a clear denial of any blame whatsoever, and a flaming ball which Experian seems, publicly at least, to be happy to keep in its court.

"We sincerely apologise for the concern and stress that this event may cause," said Experian's North America chief executive Craig Boundy, with a separate company statement attempting to shed more light on what went wrong.

"There was no breach of T-Mobile's security or systems. The unauthorized access occurred on an Experian server that happened to contain information on some T-Mobile applicants, based on our investigation to date," admitted the statement.

"Experian's network server was accessed by an unauthorized party.The unauthorized access an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services between Sept. 1, 2013 and Sept. 16, 2015," continued the statement.

"Experian's consumer credit database was not accessed, and no other clients' data was accessed."

The statement recommends that although "there is no evidence that the data has been used inappropriately, Experian strongly encourages affected consumers to enroll in the complimentary identity resolution services".

It also acknowledges the distinct risks for end users: "The information that was exposed could lead to an increased risk of identity theft," it says.

"Although we have no evidence suggesting your personal information has been misused, we take our obligation to help you protect your information very seriously, and deeply regret that this has happened."

However Luke Brown, vice president and general manager for EMEA & Latam at data loss prevention service Digital Guardian, said it isn't enough for Experian to simply accept the blame and for T-Mobile to get off scot-free:

"While many businesses are placing more emphasis on their own data protection these days, it's easy to forget third parties in the supply chain pose just as much of a risk to security. Simply assuming that suppliers and partners have adequate protection in place isn't good enough, steps must be taken to ensure that critical customer information is protected regardless of where it is in the supply chain.

"Ultimately, T-Mobile's customers aren't going to care where and how the breach occurred, the bottom line is they trusted T-Mobile with their sensitive data and now that trust is broken."