If you ever applied for device financing or service from T-Mobile anytime in the last two years, your personal information might have been stolen by hackers.
T-Mobile says as many as 15 million people may have been affected by the data breach, an attack that didn't compromise T-Mobile's own systems but rather those of its credit partner — the data vendor and credit bureau Experian. To be clear, the hack hurts even non-subscribers to T-Mobile — credit applicants who for whatever reason ultimately went with another service.
One of our vendors, Experian, experienced a data breach. See what we're doing about it: https://t.co/1oTcclmGXe
— John Legere (@JohnLegere) October 1, 2015
Experian says no credit card or banking data was stolen as part of the attack, which affects T-Mobile credit applicants dating back to September 2013. The company says the breach was fixed within "a matter of days" after it was discovered mid-last month.
But just because your financial information may be safe doesn't necessarily mean the rest of your personal information is secure: names, addresses, Social Security numbers, birth dates and driver's license and passport numbers were all leaked. Some of this data was encrypted, but Experian's encryption may have been compromised, according to T-Mobile.
T-Mobile is offering two years of free credit monitoring to those who think they may have been affected. But it's no small irony to note that the credit monitoring service is being provided by none other than Experian itself.
Experian says its own consumer credit database "was not accessed" in the incident, but the fact that any systems run by Experian were breached at all is problematic: Experian is one of the major credit scoring agencies in the country, and it safeguards vast amounts of data on everyday Americans.
T-Mobile chief executive John Legere said in a statement that he is "incredibly angry about this data breach" and vowed to review the company's relationship with Experian. He also tweeted that T-Mobile is looking to offer alternatives to Experian's credit monitoring program, but did not disclose what those might be.
"Right now," he said in a company statement, "my top concern and first focus is assisting any and all consumers affected."
Correction: An earlier version of this post said the Experian hack began in 2013. In fact, the data on affected credit applicants dated back to 2013.