US mobile carrier T-Mobile has admitted that up to 15 million customer records have been compromised following a breach of data at its credit monitoring vendor Experian.
The breach, which affects consumers who applied for T-Mobile services between 1 September 2013 and 16 September 2015, resulted in the exposure of names, addresses and birth dates, along with Social Security, driving licence and passport numbers.
The data loss has been blamed on compromised encryption, and was discovered on 15 September. It is now being investigated by federal and international law enforcement.
John Legere, T-Mobile US chief executive, said he is “incredibly angry” about the significant loss of data.
“We will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy very seriously. This is no small issue for us,” he said.
“I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.”
Legere added that the 15 million affected people are not all T-Mobile users, stressing that the total figure is made up of credit applicants and not just direct customers.
Experian, which has taken full responsibility for the breach, warned that the stolen data may lead to an increased risk of identity theft.
“Although we have no evidence suggesting your personal information has been misused, we take our obligation to help you protect your information very seriously, and deeply regret that this has happened,” the firm said.
“We encourage all eligible consumers to enrol in the complimentary identity resolution services we have offered.”
Craig Boundy, chief executive of Experian North America, said that his firm takes data privacy “very seriously”.
“We sincerely apologise for the concern and stress that this event may cause. That is why we’re taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation,” he said.
The breach is the latest in a long line of cyber attacks against high-profile targets, including the US Office of Personnel Management, United Airlines and a significant breach in 2014 at banking giant JP Morgan.
Legere has indicated that T-Mobile will look for an “alternative option” for customers who do not want to use Experian in the future.
I hear you re: Experian as service protection option. I am moving as fast as possible to get an alternate option in place by tomorrow.
— John Legere (@JohnLegere) October 1, 2015
Luke Brown, vice president and general manager at Digital Guardian, explained that third parties are often overlooked when it comes to data protection.
“While many businesses are placing more emphasis on their own data protection these days, it’s easy to forget that third parties in the supply chain pose just as much of a risk to security,” he said.
“Ultimately, T-Mobile’s customers aren’t going to care where and how the breach occurred. The bottom line is they trusted T-Mobile with their sensitive data and now that trust is broken.”
Guy Bunker, vice president of products at security firm Clearswift, added that the Experian incident is another example of a “long-lived attack which has taken years to come to light”.
“For Experian, this could prove disastrous. While they say that this is only a part of their business, how can we be sure? After all, it has been happening for two years without their knowledge,” he said.