Skip to content
T-Mobile customers hit by Experian breach get credit monitoring by Experian
Naked Security Naked Security

T-Mobile customers hit by Experian breach get credit monitoring by Experian

In a bizarre twist of irony, T-Mobile customers are being offered two years of free credit monitoring from ProtectMyID.com - a service owned and operated by Experian.

Data leak

Wireless carrier T-Mobile is warning 15 million customers whose personal information was compromised in a data breach at credit reporting company Experian.

In a bizarre twist of irony, those customers are currently being offered two years of free credit monitoring from ProtectMyID.com – a service owned and operated by Experian.

The data breach, announced on Thursday, 1 October, affects those who applied for service or device financing from T-Mobile between September 2013 and September 2015.

No payment details like credit card or debit card numbers were stolen in the breach, but that’s small comfort.

According to a letter from T-Mobile CEO John Legere, the stolen data includes:

  • names, addresses, birth dates and telephone numbers
  • “encrypted” Social Security numbers (SSN) or other identity numbers (such as a driver’s license or passport number)
  • along with “additional information used in T-Mobile’s own credit assessment”

Although SSN and other ID numbers were encrypted in some fashion, T-Mobile said in an FAQ the “encryption may have been compromised.”

The compromised data is a potential goldmine for identity thieves.

If SSNs were stolen, combined with the other identifying data like names and addresses, it’s a recipe for all kinds of identity theft.

A crook could use your SSN and identity to open credit card accounts in your name, apply for bank loans for items like cars, or file phony tax returns.

T-Mobile and Experian confirmed that the breach was a result of unauthorized access of an Experian server where the T-Mobile customer data was stored.

Notifications to the affected T-Mobile customers are actually being sent out by Experian, which advised those customers to enroll for their free credit monitoring by visiting the ProtectMyID website or by calling a toll free number.

Legere acknowledged the, shall we say, uncomforting fact that Experian is both the source of the problem and the offered solution in this incident.

Legere took to Twitter on Thursday, saying T-Mobile is looking for an alternative option to provide customers with credit monitoring:

Legere also implied in his letter to customers that T-Mobile might sever its ties to Experian, saying he was “incredibly angry,” and will be conducting a “thorough review of our relationship with Experian.”

Experian CEO Craig Boundy, in a press release, offered an apology.

Experian said it’s taking steps to mitigate the fallout from the incident, including removing any malware, isolating affected servers, increasing monitoring of affected systems, and working with law enforcement.

All of this sounds good, but we wonder if Experian’s data security protocols weren’t up to snuff to begin with.

The credit monitoring company has also experienced problems with indirect data leakage.

A few years ago, a crook who worked as a kind of identity thief broker compiled personal information on 200 million Americans by reportedly purchasing data in bulk from an Experian-owned company called Court Ventures.

And it was revealed in 2012 that identity thieves were fraudulently acquiring consumer credit reports from Experian by hacking banks, car dealerships and other businesses that use the service for credit checks.

If the people who are supposed to monitor your credit can’t be trusted to keep your data safe from identity thieves, you can you trust?

5 tips to protect your privacy and identity

  1. Create unique, strong passwords for all your online accounts: use at least 14 characters, including a mix of letters, numbers, special characters, and upper/lowercase. Better yet, use a password manager like LastPass to generate random passwords. Remember to password-protect your mobile devices as well.
  2. Use two-factor authentication (also called two-step verification) where possible to add an extra layer of security for your accounts.
  3. Go over your bank statements the same week you receive them to check for any suspicious charges.
  4. Review your Facebook settings to make sure you aren’t sharing more than you thought with people you don’t know.
  5. Log out of websites (yes, including Facebook and Twitter!) when you aren’t using them to reduce the chance of being tricked into posting or liking by mistake.

Image of leaky bucket courtesy of Shutterstock.com.

10 Comments

John Legere tweeted that he indicated T-Mobile is researching alternatives to credit monitoring from Experian.

I personally am impacted, but I have not yet signed up for the Experian credit monitoring. 1) Because it requires me to provide my information again, which will put it into another Experian database. 2) Because there may be another option soon. 3) Because I already have a fraud alert logged at the 3 credit rating firms. I’d recommend others look into this as it’s not a bad preventive control.

https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAlert.jsp

A fraud alert logged at Equifax should automatically transfer to the other firms. I have found the Equifax interface to be the easiest to work with.

Sad thing to boot about that Equifax link. The HTTPS security if flagged on my browser
1) The Certificate chain for this website contains at least one certificate that was signed using a deprecated signature
2) Your Connection is encrypted using an obsolete cipher suite.

It’s even worse than that; the credit monitoring offer requires you, with a straight face, to provide credit card information as if you were a recurring billed customer. It’s unbelievable. Like here, have the one thing you didn’t already hand out, I trust you.

Actually the service is a FREE, F.R.E.E., FREEEEEEEEEEE 2 year plan provided BY Experian free of charge but how would I know that… Oh wait……. I work in the call center getting the calls of angry people yelling at me telling me it is personally my fault. Glorious. So if they are asking for your credit card information they are doing their job wrong.

Can you trust anything you didn’t pay for?
Seriously, what is any businesses incentive for FREE stuff?

The only cost I see is the reputation.

Experian is hoping that it will be off the hook with the two years of free monitoring service. What we need is a lifetime of free monitoring service …. we cannot change our SSN! So, it will haunt us until we die!

Seems like a moronic business model, if anyone cares about security & ultimate consequences to the economy.

This then begs the question –
do such companies owe anything to an economy?

Who is responsible for damages incurred?

Can anyone track culpability, since it requires a trail from Experian?

When do the companies breached decide to blatantly pass on the cost of their breaches to the customers?

I don’t know how much I would trust giving anymore critical info to a company that was just compromised. Isn’t Experian’s job to keep your identity protected? Thanks but no thanks……

Ironic indeed, that if they didn’t already have enough information about you to cause fraud, they will after you given Experian that information required by protectmyid: Social Security No., Mother’s Maiden Name, Date of Birth, Phone Number. Yeah, I got one of those letters, and I was particularly confused because I didn’t actually sign up for device financing with T-Mobile. So information Experian didn’t have before the breach, they would now have afterwards if I just blindly provide it to them.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?