Millions of T-Mobile Customers Exposed in Experian Breach

A T-Mobile US Inc. Store Ahead Of Earnings Figures
Craig Warga/Bloomberg via Getty Images

By Jim Finkle

Experian, the world's biggest consumer credit monitoring firm, disclosed Thursday a massive data breach that exposed sensitive personal data of some 15 million people who applied for service with T-Mobile US (TMUS).

Connecticut's attorney general said he will launch an investigation into the breach.

Experian said it discovered the theft of the T-Mobile customer data from one of its servers on Sept. 15. The computer stored information about some 15 million people who had applied for service with telecoms carrier T-Mobile during the prior two years, Experian said.

%VIRTUAL-pullquote-Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian.%T-Mobile Chief Executive Officer John Legere said the data included names, addresses, birth dates, Social Security numbers, drivers license numbers and passport numbers. Such information is coveted by criminals for use in identity theft and other types of fraud.

"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian," T-Mobile Chief Executive Officer John Legere said in a note to customers posted on the company's website. "But right now my top concern and first focus is assisting any and all consumers affected."

The Experian breach is the latest in a string of massive hacks that have each claimed millions -- and sometimes tens of millions -- of customer records, including the theft of personnel records from the U.S. government this year, a 2014 breach on JPMorgan Chase (JPM) and a 2013 attack on Target's (TGT) cash register systems.

It is also the second massive breach linked to Experian. An attack on an Experian subsidiary that began before Experian purchased it in 2012 exposed the Social Security numbers of 200 million Americans and prompted an investigation by at least four states, including Connecticut.

Experian said Thursday it had launched an investigation into the new breach and consulted with law enforcement.

The company offered two years of credit monitoring to all affected individuals. People, however, said that they didn't want credit protection from a company that had been breached.

Legere responded by promising to seek alternatives.

"I hear you," he said on Twitter. "I am moving as fast as possible to get an alternate option in place by tomorrow."

Experian said the breach didn't affect its vast consumer credit database.

Legere said no payment card or banking information was taken.

T-Mobile had nearly 59 million customers as of June 30. A representative for the carrier said that not all 15 million of the affected applicants had opened accounts with T-Mobile.

The telecom carrier's shares were down 1.3 percent in extended trading after closing little changed at $40.13 on the New York Stock Exchange.

In the earlier data breach affecting Experian, a Vietnamese national confessed in U.S. court last year to using a false identity to opening an account with the unit, known as Court Ventures, sometime before Experian purchased it in 2012.

A spokeswoman for Connecticut Attorney General George Jepsen said Thursday that it would investigate the latest attack.

The spokeswoman, Jaclyn Falkowski, declined to elaborate on the T-Mobile incident, but said the investigations of the Court Ventures matter "is active and ongoing."

-Karen Friefeld and Arathy Nair contributed reporting.