The breach affects new applicants who required a credit check for service or a new device between September 1, 2013, and September 16, 2015. Experian said the hack did not affect its consumer credit database.
The hackers obtained encrypted information from the records, including Social Security numbers, driver’s license numbers and passport information. The hack involved names and addresses, but bank information and payment card numbers were not swept up in the breach.
“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” wrote T-Mobile CEO John Legere in a blog post. “I take our customer and prospective customer privacy VERY seriously. This is no small issue for us.”
Since the massive breach of Target customers’ financial information in late 2013, it seems a new major hack comes to light every few weeks. From Home Depot to Anthem to the Office of Personal Management, it seems no sector is safe.
Experian said that upon discovering the hack, it notified consumers that may be affected, secured its servers, began an investigation and notified law enforcement. It also is offering consumers two years of identity resolution services.
Experian did everything right after the hack occurred. This breach just once again underscores that companies need to do more to prevent data breaches before they happen.
T-Mobile and Experian both warned that if you were a customer affected by this breach, you should not provide personal information to anyone who says they are asking for it in connection with the hack. Because no financial information was impacted, affected consumers do not have to close bank accounts or credit cards. They are at an increased risk of identity theft.
At this time Experian says it does not know who is responsible, but it is cooperating with law enforcement.
Correction: Customers who applied for service or device financing between Sept. 1, 2013, and Sept. 16, 2015, were exposed to the breach. A previous version of this story stated the incorrect time period