Experian Hack Exposes Data of 15 Million T-Mobile Consumer

Experian on Thursday announced that a server containing information on T-Mobile customers was compromised, and that information of roughly 15 million individuals has been exposed.

Experian processes credit applications on behalf of T-Mobile, and hackers managed to gain access to personally identifiable information of carrier’s customers, including new applicants requiring postpaid services or device financing from September 1, 2013 through September 16, 2015.

The company said stolen data includes names, addresses, dates of birth, and encrypted fields with Social Security numbers and/or an alternative form of ID like a driver’s license or passport number, in addition to other type of information that T-Mobile uses in credit assessments. No payment card or banking information was stolen, but Experian says that the encryption may have been compromised.

Experian claims that this was an isolated incident over a limited period of time and that there is no evidence that the stolen data has been used inappropriately. However, the exposed data poses a high identity theft risk, and all individuals who applied for T-Mobile USA postpaid services between Sept. 1, 2013 and Sept. 16, 2015 are advised to enroll in the complimentary identity resolution services.

While T-Mobile's security or systems have not been breached, the incident is expected to affect the carrier, and T-Mobile CEO John Legere has already posted a statement online, saying that he is “incredibly angry about this data breach” and that the company will review its relationship with Experian.

The wireless carrier notes on a Q&A page that Experian has taken full responsibility for the data theft and that it has started informing individuals who may have been affected. The company also took steps to mitigate the issue by assessing the performance of its web application firewalls, enhancing security of encryption keys, limiting authorized access to the server, and additional monitoring of affected servers, in addition to contacting U.S. and international law enforcement and cybercrime authorities.

Security experts across the industry agree that this incident should be a wakeup call to wireless carriers and their partners and that they should always focus on improving the protection of customer data.

Tim Erlin, director of IT security and risk strategy at Tripwire, pointed out the fact that the breach does not affect all Experian users, but that details pertaining to the incident could change in future announcements from the two companies.

“It’s tempting to consider this breach a lesser risk because no credit card data was compromised, but the loss of this type of personal information can lead to identity theft. It can be both difficult and costly for consumers to recover when their identity is stolen. While this is certainly not good news for those affected, the fact that no other customers of Experian’s appear to be compromised indicates that they’re segregating the data in a way that limits exposure. Breaches are a fact of life these days, and limiting damage is an important part of a comprehensive protection strategy,” Erlin told SecurityWeek.

“Wireless carriers have long been a hot target for hackers due to the wealth of information they store on their customers. It should not be a surprise that we see cybercriminals targeting business partners they can prove to be easier targets than the carrier themselves. This should be a wake-up call for the carriers and their business partners to be on guard as we usually see these types of attacks occur in clusters within a given industry,” Ken Westin, senior security analyst, Tripwire, added.

According to data loss prevention expert Gord Boyce, CEO of file security firm FinalCode, the user information stolen from Experian can be combined with data from other sources and can be used in sophisticated attacks.

It’s become commonplace to offer credit monitoring to victims of a data privacy breach, but other attacks could fall outside the monitored time period. While there is reference to Experian’s use of encryption for some data, this public disclosure would indicate that personal and identifiable information has, indeed, been exposed. The T-Mobile and Experian relationship illustrates the importance of tracking and auditing the use of sensitive and regulated data in different forms throughout its lifecycle and processing supply chain,

Boyce said.