Credit check firm Experian has been hacked, exposing the personal details of 15 million users of its services including T-Mobile US customers.
T-Mobile CEO John Legere revealed the news in an angry statement posted to the carrier’s site.
He said those affected include new applicants requiring a credit check for service or device financing from 1 September 2013 to 16 September 2015.
The details lifted include name, address, and birth date. Social Security and ID (passport, driving license etc) details were encrypted but “Experian has determined that this encryption may have been compromised,” Legere said.
“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” he added.
“I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.”
Those concerned they may have been affected can sign up for two years of free credit monitoring and identity resolution services, the T-Mobile boss concluded.
In a separate update, Experian claimed that no payment card or banking information was compromised and that it was in the process of informing customers.
“We take privacy very seriously and we understand that this news is both stressful and frustrating. We sincerely apologize for the concern and stress that this event may cause,” said Craig Boundy, CEO of Experian North America, in a statement.
“That is why we’re taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation.”
Luke Brown, EMEA general manager at Digital Guardian, argued that the incident highlights the risk posed by third parties in the supply chain.
“Simply assuming that suppliers and partners have adequate protection in place isn’t good enough, steps must be taken to ensure that critical customer information is protected regardless of where it is in the supply chain,” he added.
“Ultimately, T-Mobile’s customers aren’t going to care where and how the breach occurred, the bottom line is they trusted T-Mobile with their sensitive data and now that trust is broken.”