Wireless carrier T-Mobile is warning 15 million customers had their personal information compromised in a data breach at credit reporting company Experian.
In a bizarre twist of irony, those customers are currently being offered two years of free credit monitoring from ProtectMyID.com – a service owned and operated by Experian.
The data breach, announced on Thursday, 1 October, affects those who applied for service or device financing from T-Mobile between September 2013 and September 2015.
No payment details like credit card or debit card numbers were stolen in the breach, but that’s small comfort.
The compromised data is a goldmine for identity thieves, according to a letter from T-Mobile CEO John Legere:
- names, addresses, birth dates and telephone numbers
- “encrypted” Social Security numbers (SSN) or other identity numbers (such as a driver’s license or passport number)
- along with “additional information used in T-Mobile’s own credit assessment”
Although SSN and other ID numbers were encrypted in some fashion, T-Mobile said in an FAQ the “encryption may have been compromised.”
If those SSNs were stolen, combined with the other identifying data like names and addresses, it’s a recipe for all kinds of identity theft.
A crook could use your SSN and identity to open credit card accounts in your name, apply for bank loans for items like cars, or file phony tax returns.
T-Mobile and Experian confirmed that the breach was a result of unauthorized access of an Experian server where the T-Mobile customer data was stored.
Notifications to the affected T-Mobile customers are actually being sent out by Experian, which advised those customers to enroll for their free credit monitoring by visiting the ProtectMyID website or by calling a toll free number.
Legere acknowledged the, shall we say, uncomforting fact that Experian is both the source of the problem and the offered solution in this incident.
Legere took to Twitter on Thursday, saying T-Mobile is looking for an alternative option to provide customers with credit monitoring:
Legere also implied in his letter to customers that T-Mobile might sever its ties to Experian, saying he was “incredibly angry,” and will be conducting a “thorough review of our relationship with Experian.”
Experian CEO Craig Boundy, in a press release, offered an apology.
Experian said it’s taking steps to mitigate the fallout from the incident, including removing any malware, isolating affected servers, increasing monitoring of affected systems, and working with law enforcement.
All of this sounds good, but we wonder if Experian’s data security protocols weren’t up to snuff to begin with.
The credit monitoring company has also experienced problems with indirect data leakage.
A few years ago, a crook who worked as a kind of identity thief broker compiled personal information on 200 million Americans by reportedly purchasing data in bulk from an Experian-owned company called Court Ventures.
And it was revealed in 2012 that identity thieves were fraudulently acquiring consumer credit reports from Experian by hacking banks, car dealerships and other businesses that use the service for credit checks.
If the people who are supposed to monitor your credit can’t be trusted to keep your data safe from identity thieves, you can you trust?
5 tips to protect your privacy and identity
- Create unique, strong passwords for all your online accounts: use at least 14 characters, including a mix of letters, numbers, special characters, and upper/lowercase. Better yet, use a password manager like LastPass to generate random passwords. Remember to password-protect your mobile devices as well.
- Use two-factor authentication (also called two-step verification) where possible to add an extra layer of security for your accounts.
- Go over your bank statements the same week you receive them to check for any suspicious charges.
- Review your Facebook settings to make sure you aren’t sharing more than you thought with people you don’t know.
- Log out of websites (yes, including Facebook and Twitter!) when you aren’t using them to reduce the chance of being tricked into posting or liking by mistake.