About 15M T-Mobile users affected by Experian data breach

Posted:
in iPhone edited October 2015
Hackers targeting credit check firm Experian stole the personal data of approximately 15 million T-Mobile customers who applied for postpaid services or device financing, Experian announced on Thursday.




According to Experian, T-Mobile customer data logged between Sept. 1, 2013 through Sept. 16, 2015 was taken in the security breach. The attackers came away with names, dates of birth, addresses and forms of identification like Social Security numbers and drivers' license numbers, as well as other information required by T-Mobile's internal credit assessment system.

Experian said the breach did not expose payment or banking information, nor did it affect the firm's consumer credit database.

"We take privacy very seriously and we understand that this news is both stressful and frustrating. We sincerely apologize for the concern and stress that this event may cause," said Craig Boundy, CEO of Experian North America. "That is why we're taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation."

Affected users should receive notifications directly from Experian, which is offering those impacted two years of credit monitoring through ProtectMyID. Users can visit an FAQ webpage for more information.

T-Mobile CEO John Legere commented on the matter via Twitter and the carrier's official blog, but didn't offer much insight into the attack beyond what was already provided by Experian.

"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected," Legere said.

Today's data breach comes at a crucial time for America's third-largest cellular provider. Legere and company are trying to woo customers from market leaders Verizon and AT&T with aggressively priced payment plans, data incentives and contract-free services. With the recent launch of iPhone 6s, for example, T-Mobile sparked a minor price war after announcing a promotion that nets upgraders a new iPhone from $5 per month with trade-in, assumedly after a credit check.
«1

Comments

  • Reply 1 of 37
    Isn't Experian one of the companies that reports on, and manages our credit scores? What a pathetic joke....

    "Network security" in the US has become an oxymoron. The Chinese, Ukrainians, Iranians, etc., are just eating our lunch. (Did I just sound like Donald Trump there, for a second? /shudder).
  • Reply 2 of 37
    SpamSandwichSpamSandwich Posts: 33,408member

    This is a really terrible hack. Apple is far more trustworthy and should be the company that takes Experians place in the market.

  • Reply 3 of 37
    Quote:

    Originally Posted by SpamSandwich View Post

     

    Apple is far more trustworthy and should be the company that takes Experians place in the market.


     

    You've managed to take Apple fanboyism to the next level. I would never have thought anybody would think that Apple becoming a credit rating agency would be a good idea. Congratulations!

  • Reply 4 of 37
    SpamSandwichSpamSandwich Posts: 33,408member
    Quote:

    Originally Posted by konqerror View Post

     

     

    You've managed to take Apple fanboyism to the next level. I would never have thought anybody would think that Apple becoming a credit rating agency would be a good idea. Congratulations!




    Are you kidding? Apple Credit would be fantastic.

  • Reply 5 of 37
    indyfxindyfx Posts: 321member

    Experian is keeping it's cards close to the chest, but I will bet (and give 10-1 odds) that it is yet another MS exploit (like Home depot and target)

    When will the IT lemmings begin to realize just how insecure MS (server/enterprise software) is?

     

    The (adapted) old IT adage "no one ever lost their job over choosing MS" becomes wildly less true every quarter.

  • Reply 6 of 37
    Quote:
    Originally Posted by sog35 View Post

     

    If you bought your phone outright would T-mobile still do a credit check?

    Can't remember if I gave them my SSN 2 years ago


     

    If you have a postpaid account then yes. I think carriers will rerun the check when you add a line and when you enable international roaming or calling. I've seen AT&T do a soft pull when you check upgrade status and they offer you an installment phone.

  • Reply 7 of 37

    Well, that sucks. My stuff already out there from the OPM breach anyway. <sigh>

  • Reply 8 of 37
    dmdevdmdev Posts: 33member

    I don't know what good free credit monitoring is these days, since most of us by now are probably already covered by the "free monitoring" from 3-4 prior breaches.

  • Reply 9 of 37
    tyler82tyler82 Posts: 969member

    Kinda weird that this article ends with a marketing promotion for T-Mobile. Yeah, let's all sign up for T-Mobile now and get a great deal on an iPhone! 

  • Reply 10 of 37
    tyler82tyler82 Posts: 969member
    Quote:

    Originally Posted by IndyFX View Post

     

    Experian is keeping it's cards close to the chest, but I will bet (and give 10-1 odds) that it is yet another MS exploit (like Home depot and target)

    When will the IT lemmings begin to realize just how insecure MS (server/enterprise software) is?

     

    The (adapted) old IT adage "no one ever lost their job over choosing MS" becomes wildly less true every quarter.




    And what is the alternative? Apple is slowly killing off OS X server hardware and software.

  • Reply 11 of 37
    indyfxindyfx Posts: 321member
    Quote:
    Originally Posted by tyler82 View Post

     



    And what is the alternative? Apple is slowly killing off OS X server hardware and software.




    Apple enterprise servers?

    OS X server (and xSan) are intended for small business & specialty applications not as a general enterprise solution. 

    MS represents less then half of the enterprise servers right now (declining for the last decade or so BTW) The majority are BSD (& variants) and Linux (& varrients).

     

    So... if you were seriously enquiring, there is a wealth of 3rd party (non MS) enterprise software running on those systems.

    The damage done to T-mobile, Experian (and Target and Home depot and...) will last for years and likely cost the companies hundreds of millions of dollars (possibly billions?) in direct and indirect costs. Big Business is (finally) getting the message that they simply can't afford to trust MS software in critical applications.

  • Reply 12 of 37
    foggyhillfoggyhill Posts: 4,767member
    Quote:
    Originally Posted by IndyFX View Post

     

    Experian is keeping it's cards close to the chest, but I will bet (and give 10-1 odds) that it is yet another MS exploit (like Home depot and target)

    When will the IT lemmings begin to realize just how insecure MS (server/enterprise software) is?

     

    The (adapted) old IT adage "no one ever lost their job over choosing MS" becomes wildly less true every quarter.


     

    Most "HAck" these days start will malware, then excalation through "normal channels" once inside

     

    Very few are direct attacks through the front door, why would anyone do that when idiot users give the key away. Usually done because for some crazy reason, once someone gets to root on a machine, they're allowed free reign on a the company network! Who are the idiot IT moron who allow that to happen! That's how most hacks occured, even one in Nuclear Plants in Iran!!!

     

    That's why I think you have to created tons of separate security domains inside firms, throw out all the convenience for added security in the most secure part of the firm, lock down users, keep them in cages (sic) that don'T need access to higher levels (make sure that no one can ever escalate from their computer) and be as paranoid as you can be in detecting "intrusions" originating from your own damn users....

  • Reply 13 of 37
    indyfxindyfx Posts: 321member
    Quote:
    Originally Posted by foggyhill View Post

     

     

    Most "HAck" these days start will malware, then excalation through "normal channels" once inside

     

    Very few are direct attacks through the front door, why would anyone do that when idiot users give the key away.

     

    That's why I think you have to created tons of separate security domains inside firms, throw out all the convenience for added security in the most secure part of the firm, lock down users, keep them in cages (sic) that don'T need access to higher levels (make sure that no one can ever escalate from their computer) and be as paranoid as you can be in detecting "intrusions" originating from your own damn users....




    Its not that simple, yes the entry points are varied but it is the systemic security issues that allow the attackers to elevate that access to other servers. For example the Home depot breach was made using a "crafted" email compromising a MS email server (as I recall it was used to communicate with & pay 3rd party contractors) but the elevation to the customer credit account servers was achieved via hacking standard MS cross server security protocols.

    Trying to complicate an insecure system only makes it more confusing and difficult to maintain security (as was indicated in the Home Depot and Target incidents) You need adequate basic system security at the core, and that MS doesn't seem to be able to do, at any level.

  • Reply 14 of 37
    Isn't Experian one of the companies that reports on, and manages our credit scores? What a pathetic joke....

    "Network security" in the US has become an oxymoron. The Chinese, Ukrainians, Iranians, etc., are just eating our lunch. (Did I just sound like Donald Trump there, for a second? /shudder).

    It is, and not only that, they sell an Experian-branded identity fraud protection service.
  • Reply 15 of 37
    foggyhillfoggyhill Posts: 4,767member
    Quote:

    Originally Posted by IndyFX View Post

     



    Its not that simple, yes the entry points are varied but it is the systemic security issues that allow the attackers to elevate that access to other servers. For example the Home depot breach was made using a "crafted" email compromising a MS email server (as I recall it was used to communicate with & pay 3rd party contractors) but the elevation to the customer credit account servers was achieved via hacking standard MS cross server security protocols.

    Trying to complicate an insecure system only makes it more confusing and difficult to maintain security (as was indicated in the Home Depot and Target incidents) You need adequate basic system security at the core, and that MS doesn't seem to be able to do, at any level.


     

    I've been heavily involved in securing sensitive sites for decades; there are no miracles when you need top security.

    Convenience must often be traded for security; it's a design decision one must knowlingly make (but few do).

     

    And yes, I've usually stay away from MS; recommend against it in anything that require strong security.

    Because I have no way of understanding what the hell those boxes actually do, and why they do it.

    I normally stick to flavors of Unix where I have access to the code.

     

    The home depot "hack" wasn't really a god damn hack, a script kiddy could do it.

    The idiot involved should all have been sacked; complete amateur hour (maybe they were).

     

    Almost all users are total IDIOTS about security and can't be trusted with it (even if they're not actively using their compute to break in ;-).

    So, I must act like some parts of insides network are actually worse than the outside and need to be isolate :-).

     

    Adequate basic security is a given in my scheme.

    Real security has a cost in time, money, complexity and yes convenience.

    You need actual security experts, even engineers, to make something tight,

    But, most companies don't give a crap and skimp out.

    They use their overworked, undertrained IT technicians and their overlord director (barely more qualified)... with only bare notions to do the job of designing those masterpieces of insecurity (which includes picking the correct Software to do the job (not MS))

  • Reply 16 of 37
    thepixeldocthepixeldoc Posts: 2,257member
    konqerror wrote: »
    You've managed to take Apple fanboyism to the next level. I would never have thought anybody would think that Apple becoming a credit rating agency would be a good idea. Congratulations!

    D*mn! Hot on the heals of "the most asinine comment I've ever read on these forums"... comes this one!

    WTF are they putting in your water over there? Sorry.. I realize that's a dumb question since many are experiencing water shortages, but still... my mind is blown at some of the comments here of late(!) :no:
  • Reply 17 of 37
    evilutionevilution Posts: 1,397member

    The only way to be sure is to not have the computer that holds this information connected to the internet.

  • Reply 18 of 37
    Quote:



    Originally Posted by konqerror View Post

     

     

    If you have a postpaid account then yes. I think carriers will rerun the check when you add a line and when you enable international roaming or calling. I've seen AT&T do a soft pull when you check upgrade status and they offer you an installment phone.


     

     

    Quote:
    Originally Posted by sog35 View Post

     

    If you bought your phone outright would T-mobile still do a credit check?

    Can't remember if I gave them my SSN 2 years ago




    I bought my phone outright.  When T-Mobile asked for my SSN, I said no.  Then I had to give them a deposit which is supposed to be returned after 12 months of good behavior (paying your bills on time).

  • Reply 19 of 37
    solipsismysolipsismy Posts: 5,099member
    1) Last year I gave T-Mo a shot due to their high trade-in for my old iPhone, the additional huge account pay off they offered as a new customer, and then I used their EIP (Equipment Installment Plan) program to pay off the device a little each month. My social security number was surely used for that, and I think my DL. The one thing I didn't do it keep a CC on file with T-Mo, just paid it off each month, but that doesn't mean that T-Mo didn't maintain a copy of my card number and data on their system, but I digress, since this breach was with Experian's storage of the T-Mo credit search.

    2) I would expect T-Mo and Experian to offer free credit monitoring for a year or two to because of this, just like Target [I]et al.[/I] have done before. I recommend everyone do this, and then setup a repeating Calendar entry to have you check every week, fortnight, or month to make sure your identity hasn't been comprised in terms of your credit rating. And I don't mean this only for T-Mo customers, but for everyone. If you can't get the service for free at least get your once-a-year, free credit report by signing up with one of the three major bureaus—and only them, [U]do not [/U]use a third-party service. You won't get a score with the free once-a-year service, but you'll see any soft and hard inquiries made on your credit, and see any loans in your name. Note: Of course, that is US-centric, and I do not have information for other countries. If you have info please include it.

    3a) This breach is bad, and my mother messaged me "freaking out," as she put it. I told her there was nothing to worry about in the grand scope of things. This is the world we live in so for any internet facing accounts (especially), we need to 1) make sure all our passwords are unique, 2) and complex, 3) that our answers for recovery questions are unique, and 4) use two-step verification when possible, but we can't remember all that info so we need to learn to be experts with a password manager. I choose 1Password.

    3b) Additionally, we need to not to freak out about these breaches; not because there is nothing to worry about, but because the breaches we know about are likely the not the only breaches that exist. I bet there are countless breaches we've never known about that are worse. Who here worried about SSL security all those years before "Go To Fail" was found? Where was the worry about a gov't program called Prism that claimed major tech companies offer backdoors into our devices before Snowden revealed the PowerPoint slides? Why do we have a light on our camera to know it's on when we can see that on our Mac/WinPC screen when we're using it, but there is no such HW light tied to the microphone which could be listening and recording for years, or why we now freak out when we're given the option for Alexa or Siri to listen specifically for a key words? We don't freak out because of psychologically of not knowing. KEEP CALM AND CARRY ON… BUT BE PROACTIVE AND SMART ABOUT IT.
  • Reply 20 of 37
    boredumbboredumb Posts: 1,418member
    Quote:

    Originally Posted by SolipsismY View Post



    1) Last...etc.

    2) I would expect...etc.

    3a) This breach is bad...etc.

    3b)...we need to not to freak out...(etc.) KEEP CALM AND CARRY ON… BUT BE PROACTIVE AND SMART ABOUT IT.

    Well, thanks!  I wasn't freaking out...until I realized how many of your suggestions I fudge,

    and how many of your points I've been taking for granted! ;-)

Sign In or Register to comment.