Overview: Unauthorized Acquisition of Personal Information
- On Sept. 15, 2015 Experian discovered an unauthorized party accessed T-Mobile data housed in an Experian server.
- Experian’s consumer credit database was not accessed in this incident, and no payment card or banking information was obtained.
- The unauthorized access was in an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services between Sept. 1, 2013 and Sept. 16, 2015.
- Records containing a name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T- Mobile's own credit assessment were accessed. No payment card or banking information was obtained.
- Experian notified appropriate federal and international law enforcement agencies and has taken additional security steps to help prevent future incidents.
- We continue to investigate the theft, closely monitor our systems, and work with domestic and international law enforcement. Investigation of the incident is ongoing.
- Experian is notifying the individuals who may have been affected and is offering free credit monitoring and identity resolution services for two years. In addition, government agencies are being notified as required by law.
- Although there is no evidence that the data has been used inappropriately, Experian strongly encourages affected consumers to enroll in the complimentary identity resolution services.
Frequently Asked Questions
About the Incident
Q: What happened?
A: Experian's network server was accessed by an unauthorized party.The unauthorized access an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services between Sept. 1, 2013 and Sept. 16, 2015.
Experian's consumer credit database was not accessed, and no other clients' data was accessed.
At this time, we have no indication that T-Mobile's information has been used inappropriately.
As soon as Experian detected the unauthorized access, we notified law enforcement and initiated a full investigation. We continue to investigate the incident and we are taking the necessary steps to prevent it from recurring.
Q: What information might have been compromised?
A: Based on our investigation to date, some T-Mobile applicants who applied for services from Sept. 1, 2013 through Sept. 16, 2015 had unauthorized disclosure of their personal information. Records containing a name, address, Social Security number, date of birth, identification number (typically a driver's license, military ID, or passport number) and additional information used in T-Mobile's own credit assessment were downloaded. No payment card or banking information was obtained. Experian's consumer credit database was not accessed as part of this incident.
What does this mean for me?
Q: How do I know if I was impacted?
A: Based on our investigation to date, this incident may have impacted individuals who applied for service at T-Mobile USA, Inc. from Sept. 1, 2013 through Sept. 16, 2015. If you applied for postpaid service or financed a device during that time period, you could be impacted.
Q: Isn’t all of my personal data that was exposed enough to steal my identity?
A: The information that was exposed could lead to an increased risk of identity theft. Although we have no evidence suggesting your personal information has been misused, we take our obligation to help you protect your information very seriously, and deeply regret that this has happened. We encourage all eligible consumers to enroll in the complimentary identity resolution services we have offered.
Q: What is Experian doing to help me protect my identity?
A: We are providing affected T-Mobile applicants with two years of free credit monitoring and identity resolution services through ProtectMyID. This service provides you with a credit report from Experian upon enrollment, credit monitoring from all three nationwide credit reporting agencies, internet scans, access to specialized fraud resolution agents and more.
Consumers affected by this incident can obtain more information or enroll in these services by:
- Visiting www.ProtectMyID.com/SecurityIncident
- Calling 866-369-0422 to enroll in ProtectMyID or the alternative identity protection product
- Sending an email with questions to email@example.com
Individuals who believe they are affected but have not received a notification via mail by Nov. 30, 2015 are encouraged to visit www.experian.com/T-MobileFacts to learn about enrollment in credit monitoring and identity protection or call to enroll via an agent. Please enroll by April 30, 2016.
Q: What else can I do to protect myself?
A: There are several additional steps you can take to protect your information:
- Always remain vigilant against threats of ID theft or fraud.
- If you suspect you are a victim of identity theft or fraud, you have the right to file and obtain a copy of the police report.
- Be alert to "phishing" by someone who acts like a colleague or friend and requests sensitive information over email, such as passwords, social security numbers, or bank account numbers. (Note: Experian or T- Mobile will NOT ask for sensitive information over email.)
- Consider placing a fraud alert or security freeze on your credit file.
The Federal Trade Commission (FTC) also provides information about how to avoid identity theft and what to do if you suspect your identity has been stolen. Contact the FTC at www.consumer.ftc.gov, 1 877 ID THEFT (1 877 438 4338), or the FTC Identity Theft Clearinghouse, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580. You also can get information from your state's attorney general.
Q: How do I put a fraud alert on my credit report?
A: You may consider placing a fraud alert on your credit report. This fraud alert statement informs creditors of possible fraudulent activity within your report and requests that your creditor contact you prior to establishing any accounts in your name.
You may place a fraud alert by calling any one of the three national consumer reporting agencies. Contacting any one of the three agencies will place an alert on your file at all three agencies:
- Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
- Experian: 1-888-EXPERIAN (397-3742); www.experian.com/fraud; P.O. Box 9554, Allen, TX 75013
- TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 2000, Chester, PA 19022-2000
Q: What else can I do to protect my credit?
A: You may also consider contacting the credit reporting agencies directly if you wish to put in place a security freeze on your account. A security freeze restricts all creditor access to your account, but might also delay any requests you make for new accounts. Check with the credit reporting agencies for their specific procedures regarding security freezes.
Q: Should I close my bank account?
A: There were no bank account numbers contained in the file accessed, based on our investigation to date. However, it is always a good practice to monitor your banking activity.
Q: Should I close my credit card or other accounts?
A: There were no credit card numbers or account numbers contained in the file accessed, based on our investigation to date. However it is always a good practice to monitor your credit card activity.
Q: What should I do if someone calls me saying they're from T-Mobile, Experian, or another company, asking for additional information from me so they can help protect me?
A: Under no circumstances will Experian or T-Mobile call you or send you a message and ask for your personal information in connection with this incident. You may go to the website listed above or contact Experian or T-Mobile directly, but you should not provide personal information to anyone who calls you or sends you a message about this incident.
I'm Still Confused
Q: Why is Experian notifying me when I applied for credit at T-Mobile?
A: Experian is handling notification about this unauthorized access given that the information was stored on a server in one of our business units. Experian is also providing credit monitoring and identity resolution services to those individuals affected by this incident.
Q: Did T-Mobile Have a Breach?
A: There was no breach of T-Mobile's security or systems. The unauthorized access occurred on an Experian server that happened to contain information on some T-Mobile applicants, based on our investigation to date.
Q: Why is there a delay between the incident and notifying me that this happened?
A: We began the process of notification as soon as it was evident that sensitive identifying information had been exposed in the incident. Our first priority was mitigation and containment, followed by conducting an investigation. This investigation was necessary to validate that we were able to successfully contain the incident and determine the scope.
This process required some time, and we wanted to be sure that we provided accurate information. Thus, we also took steps to evaluate the information acquired, as well as to identify current addresses to provide postal notice to impacted individuals. We will continue to update you if our ongoing investigation yields additional information.
Q: What's "additional information used in T-Mobile's own credit assessment?"
A: In order to evaluate the risk level of a credit applicant, T-Mobile uses a variety of information to determine the likelihood that a borrower will be able to pay. . Information used to do this can include a consumer’s payment history, as well as information from Experian or other sources. That information is then compiled and used in their credit criteria when evaluating the risk level of an applicant. In this case, the data acquired included the fields containing those assessments, but not the underlying information used in calculating the assessment.
What We’re Doing to Make it Right
Q: What steps have you taken to remediate the issue?
A: We are addressing this issue with strengthened IT security, and we are providing those affected by this theft with the assistance they need. This has been a top priority for Experian. When Experian discovered this intrusion, we quickly notified law enforcement. Experian took several steps to mitigate the issue including but not limited to:
assessing and removing any presence of malware or improper connectivity
performing assessment of isolation procedures of the affected server and associated systems
engaging U.S. and international law enforcement
increased monitoring of the affected servers and associated systems
Q: What are you doing to prevent this from happening again?
A: Experian is committed to building customers for life and is working tirelessly to improve our security systems and processes. We have taken immediate steps to harden our environment. To ensure our security measures and practices stand up to the high standards to which we hold ourselves.
Q: Since Experian was compromised; can it effectively offer credit monitoring?
A: Absolutely. This was an isolated incident of one server and one client's data. The consumer credit bureau was not accessed in this incident and no other clients' data was involved.
Q: Do you know who was behind this?
A: We do not know who the criminals were behind this incident, but we have contacted and are cooperating with law enforcement in their ongoing investigation into who was responsible.