Experian Breach Hits 15mn T-Mobile US Customers

Data bureau Experian have announced they suffered a cyberattack which breached the data of 15 million customers of T-Mobile USA. Per their press release, the affected customers include…

…those who applied for T-Mobile USA postpaid services or device financing from September 1, 2013 through September 16, 2015, based on Experian’s investigation to date.

Experian, which makes its money by selling data that reduces credit and fraud risk, was keen to point out that its consumer credit database was not compromised. The information that was stolen includes…

…names, dates of birth, addresses, and Social Security numbers and/or an alternative form of ID like a drivers’ license number, as well as additional information used in T-Mobile’s own credit assessment. No payment card or banking information was acquired.

It appears that Experian acted quickly to mitigate the damage done.

Upon discovery of the incident, Experian took immediate action, including securing the server, initiating a comprehensive investigation, and notifying U.S. and international law enforcement.

Experian is in the process of notifying consumers that may be affected, and safeguarding their identity and personal information by offering two years of credit monitoring and identity resolution services through ProtectMyID… Although there is no evidence to-date that the data has been used inappropriately, Experian strongly encourages affected consumers to enroll in the complimentary identity resolution services.

Experian also deserve credit for making the relevant information available on their website. They provide a comprehensive FAQ to help people worried about the consequences of this breach. This begs a question: why do so many other businesses do the opposite, and pretend it is better to allow customers to worry whilst they wait for a letter in the mail?

T-Mobile USA were also forthright in explaining the situation to their customers. Their website includes a message to customers from CEO John Legere that begins:

I’ve always said that part of being the Un-carrier means telling it like it is. Whether it’s good news or bad, I’m going to be direct, transparent and honest.

Legere also made it clear who was to blame for the security lapse.

Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.

The handling of this incident shows Experian and T-Mobile USA understand that a rapid response is key to limiting the damage done to shareholder value and corporate reputation. In that sense, they may still turn this crisis to their relative advantage. Big breaches of personal data have become increasingly common, but many organizations handle them poorly. In some ways, the public may gain a more positive impression of a management team that responds effectively to this kind of setback.

That said, we are forced to repeat a lesson that many refuse to learn. However well a business responds to being hacked, it would be better if they spent more on security, and did not allow the personal data of customers to be violated in the first place.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.