T-Mobile: Data encryption may have been compromised

Oct 1, 2015 22:52 GMT  ·  By

T-Mobile has announced that data for 15 million of its customers has been compromised after Experian, a third-party vendor that processes the company's credit applications, has been hacked.

According to statements issued by both companies, T-Mobile customers that required a credit check in order to benefit from service or device financing between September 1, 2013 and September 16, 2015 are affected.

T-Mobile says no data from other customers has been stolen, and Experian also states that no other information on other Experian clients has been exposed. Additionally, no credit card details were leaked because they were not stored on its servers, since they were not needed for the credit check.

What was stolen were the name, address, birth date and SSN (Social Security Number) of T-Mobile customers. Additionally, ID numbers were also stolen, but these vary depending on what type of ID the T-Mobile customer used. This can be a driver license, regular ID, military ID, or passport.

The data was encrypted, but the encryption may be compromised

Experian says that all data was encrypted. In its press release, T-Mobile claims that "encryption may have been compromised."

Both companies alerted authorities and are now offering clients two years of free credit monitoring and identity resolution services through ProtectMyID. ProtectMyID is one of Experian's subsidiaries.

Experian's credit monitoring services are well-known and very appreciated in the US, being recently used by the Trump Hotels Collection after they've had their PoS systems breached in seven of their hotels.

According to Experian's investigation, at this moment, there are no signs to show that the data was used in fraudulent purchases.

No hacking group has taken credit for the incident, and nobody will probably do. The person/group that executed this hack will probably end up selling all the customer data on the Dark Web.

“The information stolen from Experian can be combined with data from other sources and potentially used in sophisticated attacks. It’s become commonplace to offer credit monitoring to victims of a data privacy breach, but other attacks could fall outside the monitored time period,” said data loss prevention expert Gord Boyce, CEO of FinalCode, a file security firm.

“While there is reference to Experian’s use of encryption for some data, this public disclosure would indicate that personal and identifiable information has, indeed, been exposed.  The T-Mobile and Experian relationship illustrates the importance of tracking and auditing the use of sensitive and regulated data in different forms throughout its lifecycle and processing supply chain.”

UPDATE: We were contacted by a T-Mobile spokesperson that told us that not all of the 15 million affected by the Experian hack are T-Mobile customers, some being just applicants that eventually did not sign a contract. Please bare in mind this detail when referencing our article.