If you’re a T-Mobile customer, we’ve got bad news; likewise, if you’re not a T-Mobile customer, we also have bad news. A huge data breach at Experian, a company that processes applications for T-Mobile contracts, has left cybercriminals in possession of 15 million records of both successful and unsuccessful T-Mobile contract applications. These records include names, addresses, and birth dates, as well as social security and passport numbers.
John Legere, the CEO of T-Mobile, took to the company’s official website to write an honest and fairly scathing letter detailing the breach. He explained that the breach took place between Sept. 1 and Sept. 16, and that T-Mobile is currently contacting all of the customers (and would-be customers) affected by it. In the meantime, Experian is offering two years of free credit monitoring to anyone targeted in the breach, claiming that its credit monitoring services were not affected by the hack.
Whether you want to trust Experian with additional data is, of course, a risk you’ll have to consider. Even Legere said that he is “[instituting] a thorough review of our relationship with Experian.”
The name, address, and birthdate records were all unencrypted, which is obviously not ideal, considering how much a sophisticated attacker can do with that information. Experian did encrypt social security numbers and passport/driver’s license ID numbers, but has some reason to believe that the attackers in question may have broken through it. Breaking through encryption is usually difficult and time-consuming, but if a hacker has access to an encryption key (possibly also stored on Experian servers), it can be done.
T-Mobile is in the process of contacting people whose information fell into the wrong hands, so unless you receive an e-mail from the company, you (probably) have nothing to worry about. If you’re one of the unlucky 15 million, however, consider signing up for Experian’s credit monitoring, or perhaps a different organization’s, if you don’t mind paying out of your own pocket. T-Mobile has also set up an FAQ on the subject.