Skip to main content

T-Mobile informs customers of security breach with a credit application processor

T-Mobile has released a statement about the security breach of Experian, a company that T-Mobile uses to process its credit applications. CEO John Legere says that an investigation has revealed that the records of 15 million people were acquired by a third party between September 1, 2013 and September 16, 2015, some of whom were T-Mobile customers. There's a chance that you were one of the affected people if you signed up for new postpaid service or financed a device from T-Mobile in that time.

Records stolen include information such as name, address and birthdays. It also includes encrypted fields such as Social Security numbers and ID numbers like those on driver's licenses or passports. Additionally, Experian believes that their encryption may have been compromised.

Legere says that this breach did not affect T-Mobile's networks or systems themselves, and no bank or credit card information has been compromised. T-Mobile will review its relationship with Experian once the matter is resolved.

Anyone can sign up for two years of free credit monitoring and identity resolution with Experian now, and we strongly recommend you do so if you were a T-Mobile customer in the past two years.

Source: T-Mobile (opens in new tab)

99 Comments
  • dammit experian.
  • Fuuuuu**** Posted via the Android Central App
  • great!
  • T-mobile requires a social security number?
  • Why wouldn't they? Posted via the Android Central App
  • Part of the credit check for postpaid service. Completely standard.
  • Exactly Posted via the Android Central App
  • Sad world when mandatory credit checks are run on every single customer just to get a phone and service, these aren't cars or houses people are buying. With t-mo's push to get rid of 2 year contracts, why the hell do they need to know all this information about their customers?
  • They require a credit check for a Macy's credit card, too. And you might just be buying socks!
  • Because it is still "post"paid, IE "credit" .. Also, if you pay for the phone in installments, that's "credit" as well... If you don't like/want credit you can always get "pre"paid and pay for your phone in full of course..
  • Otherwise you could give them fake info, sign into a device payment plan, and then just leave without paying.
  • They still checked credit back in 2 year contract days its not anything new just a little less lenient now since you are giving someone a $500+ phone without much security that they are gonna pay the phone off.
  • I understand that these companies are susceptible to attack, but I would think that they would try harder to prevent such attacks. I guess customer security isn't a top priority. I wonder if illiterate people get the full effect of alphabet soup
  • Customer security is a top priority for every company. It really hurts the image of a business when stuff like this occurs. Posted via the Android Central App
  • Want to know how I know you don't work in InfoSec? IT departments in businesses large and small care about one thing: budget. Projects are completed, usually with limited resources. In order to get projects done on time and within budgets usually sacrifices security. Unless a company is required by law to have certain safeguards in place, they usually won't do it themselves. Even then auditors are a joke and never catch half the deficiencies. And finally, the hardest part to secure is the human element. Never underestimate the stupidity of your employees.
  • Oh man, if only you knew. I'll leave it at that. Posted via the Android Central App
  • Have to concur here. Case in point: the starbucks app doesn't (or at least didn't, until recently) even encrypt the user data..including cc info. Talk about tempting fate. This is why I try to avoid saving my payment info on websites for my "future convenience." Companies certainly do NOT always give this issue top priority. Posted via my Mate 7 or my Moto X Pure
  • Yep, the general public doesn't have a clue how little is reviewed from a security standpoint.
    Even for Experian, the highest priority is still selling and completing projects.
    The security auditors are a joke, they miss so much
  • Exactly this. Luckily I work IT in the medical field, so HIPAA ensures that we follow strict security guidelines. Posted from my Asus ZenFone 2.
  • The bottom line is what is most important. I don't think that customer security takes priority over the profit. I wonder if illiterate people get the full effect of alphabet soup
  • Can't have one without the other. Let's look at it in the extreme: If you knew that being a part of Verizon, for example, would give you a 100% chance of your information being stolen, would you be a part of that network? If you knew that shopping at Walmart would give you a 100% chance of your credit card information being stolen, would you shop there? Posted via the Android Central App
  • You're talking about the extreme. As a costumer you'd expect to be protected. You would expect that these companies would put your security at the same level is value as they see profits. Like I mentioned, I know it's not perfect, but security needs to be at a higher level when it comes to their business practices. Expectation and reality are 2 different things and maybe that's why I lack faith in any of these companies. I wonder if illiterate people get the full effect of alphabet soup
  • While I believe that you're generally correct, I'm not sure your scenario applies here. The consumer never chose Experian, T Mobile did. When a consumer gets their credit checked, they generally have no way to know which of the three major reporting companies are involved. So it comes down to the corporations...and Experian would have to make a lot of mistakes before large corporations are going to go through the effort of changing what credit reporting company they utilize.
  • What your missing is that until a breach occurs, it's not security itself, but the illusion of security.
    Security audits and approvals, SSL all give the illusion of security. If their is a bad enough of a breach, then management takes security seriously for a period of time.
    But even that can wear off as management changes etc.
  • Let us the next time you have some.
  • The attacker is always ahead of the attackee. Been this way since the beginning of time. Always one step a head. Posted via the Android Central App
  • Because it happened doesn't mean they don't try hard.
  • Your sentences contradict one another. You understand that these companies are susceptible to attack, but you think they should try harder and that clearly customer security isn't a top priority. What would it look like to you, then, if customer security WERE top priority while simultaneously being in a world where these companies are susceptible to attack? How would that manifest itself differently than what happened here? Because I imagine if it weren't a top priority, we'd see Experian being attacked monthly, or weekly, instead of nearly never. So for all we know, it is their absolute number one priority. But as they are susceptible, on rare occasions, SOMEONE will manage to get through despite their best intentions. Just like the safety of my kids is my number one priority, but on rare occasions I might accidentally forget to lock the back door.
  • Profit is number #1. It's not a contradiction. Companies need to do a better job of protecting the customer. I understand that everything isn't perfect, but if they were able to obtain 15,000,000 customers info they weren't doing enough to protect them. I wonder if illiterate people get the full effect of alphabet soup
  • Profit and security go hand in hand. Posted via the Android Central App
  • They should, but they don't. Posted via the Android Central App
  • It's experian, not T-Mobile Posted via the Android Central App
  • Who said anything about T-Mobile? I wonder if illiterate people get the full effect of alphabet soup
  • Well your rants about "customers" seems to imply you think this is tmo's fault. Check out my new YouTube channel for tech reviews!
  • No, that's how you interpret it. Common sense would say Experian if they were the one that was hacked. Posted via the Android Central App
  • Uh huh Check out my new YouTube channel for tech reviews!
  • Must have been Stagefright 2.0 Posted via The Next Big Thing. My Samsung Galaxy Note 5!
  • I have lifelock that I pay for. So with this experian Service free for 2 years it just saved me $360 over the next 2 years. I'll take that. Thanks hackers!!!! Posted via the Android Central App
  • People with lifelock got hacked too, including the CEO who put his ss# on the bus. Posted via the Android Central App
  • Some protection is better than none.... Just because someone caught an std while wearing a condom doesn't exactly mean it's not a good idea to wear them lol. Posted via the Android Central App
  • in the perfect world that would be true, but if whatever company gets breached, why would you go with them again and pay additional money to support them? In the old days as an example - say there ware 5 merchants and two of them practiced "bad business", sold bad or undesirable product, or any other services people did not buy, those two merchants would go out of business. Now days this isn't as simple anymore. Businesses with bad practices or undesirable product are instead reworded and thrive in the business world. The point is - the STD you caught while using a condom, you should stop using that particular condom's brand.... ever. :)
  • They are providing the service for free to TMobile customers. They aren't making any money off of it. They aren't being rewarded. The monitoring part of experian is a completely different branch than the experian TMobile credit scoring that got hacked. Posted via the Android Central App
  • OK - but what is your point? Whatever branch, does that makes it ok in your opinion ? why on earth would you trust them now?
  • Doesn't make it ok but different branches have different security measures. If not why wouldn't the hackers go after all the people experian has info on which is in the hundreds of millions instead of only TMobile users? Posted via the Android Central App
  • understood, but the customer's data was still breached. As per your note, different branches have different security measures - if so why? why not have high standard for every branch? and... For crying out loud - this is one of the country's major credit rating bureaus that companies use to conduct credit checks. An institution like that better have adequate security measures. If I have your SS#, bDay, address, name, history, financial reports (yes I can get them base on the hack), and so on, there is virtually no way to know someone have impersonated you. also - if you think the 2 year free monitoring is going to fix that, then you're either very naive or work for Experian. Sorry for being very direct-
  • They are providing the service for free to TMobile customers. They aren't making any money off of it. They aren't being rewarded. The monitoring part of experian is a completely different branch than the experian TMobile credit scoring that got hacked. Posted via the Android Central App
  • So is this Exerian in general or the part that just does TMo accounts? I have identity monitor with them kinda ironic if you ask me. Posted via the Android Central App
  • That's it. One too many hacks. We are going to have to start all over again. New names, numbers and addresses for everyone!
  • So, Experian was compromised, and now they want people to sign up with them? Does anyone else see the irony in this?
  • Took the words right out of my mouth bro I swear Posted via the Android Central App
  • Well, it's not like you're giving them information they didn't have. Merely signing up with a service that alerts you to compromises to your credit.
  • Yep totally! Their penolty for data breach is getting influx of new customers. And.... The worst... AC recommend as it.... Oh my. Posted via the Android Central App
  • You beat me to it...
  • Well, I am on T-Mo prepaid plans so they have no clue what my SSN is.
  • I have never understood why there isn't regulation/legislation that states that this information can only be stored as long as necessary to approve/deny a person's application. A business should have no right to hold on to this information beyond the time necessary to resolve whatever the consumer originally provided the information for. Why is Experian allowed to hold onto such detailed information for years beyond when someone actually was approved/denied for credit.
  • You do know they are one of the three top credit beaurus and already have all your information anyways right? Posted via the Android Central App
  • this is why im not worried about signing up for the protection... hackers already got everything anyway lol
  • Basically all you can do is protect yourself Posted via the Android Central App
  • I think you missed the point. Everyone knows they are one of the top bureaus and that they gather information - the point is that they shouldn't be able to stockpile large volumes of metadata when it isn't related to the specific transaction they are processing and that information that they ARE storing should be encrypted uniquely at the record level. Unless you're processing a transaction specifically for me - my information shouldn't be accessible at all and even if the system is penetrated, my data on the volume should be uniquely keyed such that an exploit of the storage mechanism isn't a total exploit of ALL of the stored data.
  • Because that's the entire point of Experian. If they didn't hold onto your information, they wouldn't exist as a business or a concept. Credit, as a concept, would disappear. If they don't hold onto your detailed information for years beyond when someone actually was approved/denied for credit, they'd have no information with which to approve/deny someone for credit.
  • That's actually not correct. Your credit worthiness is a derivative of your reported information from your creditors. Experian themselves does not need to hold on to your actual application data or a large amount of information that they currently have in order to provide a credit score. The reported credit data from your creditors is all that is necessary to derive a score and I don't know if you've ever looked at that data, but it is just payment history. So no, credit as a concept wouldn't disappear at all - no more than it didn't come into being before companies like Experian began warehousing all of this data. There was a viable and healthy credit market long before the existence of these companies. The additional metadata that is gathered to apply for credit is only actually relevant to confirm your identity/reduce fraud and confirm authority to deliver a credit score. The fact that they hold your address for your entire life and a lot of other information is not part and parcel to the credit approval process - it is in the identity validation process and further down the line in the products that they can sell to creditors that want to offer you more credit. The information that was stolen serves the purpose purely of penetrating the systems that are used to protect against fraud as by knowing these details they can apply for credit in your name exclusively. This has always been the gotcha when it comes to these sorts of systems. Once penetrated, there is nothing preventing someone from using that pile of information from creating a shitload of credit accounts and charging them off. I'm always amazed that people go nuts when the NSA keeps tabs on who you call but don't realize that the metadata stored with these companies can effectively tell a merchant when you need to take a crap or get a laxative due to your purchase history, travel locations, restaurants, etc.
  • You're correct that Experian just gets the data from other companies... but if they weren't at all times holding on to that data, getting your credit check would take weeks, as Experian would have to gather that information from all the other companies each and every time.
  • That is because in US no one cares. Every business stors your personal data and then resells. You need to fight to have it removed.... In Europe is the other way around. Posted via the Android Central App
  • In Europe you can't have the note 5 lmao suckas. Posted via the Android Central App
  • Dang well this sucks. What are you supposed to do when the credit agency itself gets hacked? Also, two years isn't NEAR enough. And the hackers would surely know that you're being protected for the two year time period. They should be forced to offer this for life.
  • Good point Posted via the Android Central App
  • So the same company that just got hacked and compromised millions of people personal info is now offering 2 free years of "fraud protection"? Am I missing something here? Posted via Note 5/AC App...
  • Yep... Bit ridiculous isn't it ? Posted via the Android Central App
  • best (worst) line i read today during all of this came when i went to the ID protection site. "We offer multiple layers of protection and are backed by Experian® - a name you can trust."
  • Great. Had been with AT&T since iPhone launched, just switched to T-Mo Aug 22. FFFFFFFUUUUUUUUUUUUUUUU!
  • Thank God I'm on a prepaid plan! Posted via the Android Central App
  • Some of my friends switch to prepaid.... Sounds like a good idea. Posted via the Android Central App
  • What if I applied for a possible buy out but didn't actually sign up? I had to give them my info for a credit check. Posted via the Android Central App
  • Try and sign up for it. If you get the free 2 years great if not oh well. Posted via the Android Central App
  • I have had a not very good experience with Experian. I have very good credit and keep tabs of the credit report yearly. (and all of you should too) I have lived in my current house for 9 years. It is free and clear with no Mortgage. I check my report and they have my address as XXX N 77the Ave APT 1250 XXXX AZ. So the address is correct except for the Apartment Number. Its a single family house not an apartment. I contacted them and asked them to correct the info as I had bought a new vehicle and when they ran the Credit Report they asked why I checked own your home when I lived in an apartment. I provided a copy of the deed info etc from the County and they would not correct it. Around and around we went. I finally got hold of someone by phone ( not an easy task with these people) and explained the problem. I was told I could correct it if I sent a copy of a Utility bill with the apt number on it and then a newer one with out! WTF? OK so I print an old bill and take a pen and write APT 1250 on it next to the address. Then Take the current bill un altered and send both via email. I get an email that says Information corrected! The address was exactly the same. Now that instills confidence in their processes and procedures. I wasted 6 months of my life trying to talk to someone with a Brain at Experian. Burn in He77 Experian!
  • If you only check your credit reports yearly you are doing yourself a great injustice. Posted via the Android Central App
  • why? I have a solid credit score (737), get balance alerts on my checking account and check my banking info almost every day. i get my free credit report once a year, usually around the time I do my taxes. the biggest threat is somebody stealing my identity and opening a bank account. what these thieves do, is once they have a person's info, they'll go to a bank either with a fake id, or even better, they personally know the banker. so they open the account, throw a $100 in there, and they're good to go. so here's the threat, 5 months later, they apply for a credit card, or a personal line of credit. so if I check my credit report once a year, I'll see this is going on. a police report would need to be filed and a copy sent the the 3 major credit bureaus so it could be removed. I'd file a claim with the bank obviously and all accounts would be shut down. I don't have over $250k at my bank, so every penny is FDIC insured. would be a major pain, but whether I catch it on my credit report 1 month, 5 months, or 10 months after it happened, I'd still have to go through the same process. some people check there credit report just for the number, but that's probably the last important thing in a credit report. being sure there are no discrepancies, or compromises to your identity are what's critical.
  • Well my credit score is a bit higher than yours. But that's not the point. And not why I check my credit reports often. The main thing is looking If someone is attempting to open a credit card account or get a loan fraudulently with your identity... wouldn't it be better to know the day they attempted that versus waiting a whole year to check your credit report to find out? Yes it would. So please don't listen to the above people's tips about only checking your credit report once every year. That's the worst advice ever. Especially when you can get free weekly credit reports from 2 credit beaurus on credit karma once a week to look for any new or fraudulent inquiries and hard pulls on your credit. You could stop the identity thief before they even get the card mailed to them instead of trying to undo a years worth of damage. Posted via the Android Central App
  • How about prepaid customers? Posted via the Android Central App
  • What about them? Check out my new YouTube channel for tech reviews!
  • Might have to let my sister know. She shopped around for new service last month. T-Mobile, Verizon or Sprint Posted via...The One
  • Thanks for letting us know... When we all read this article we all were instantly worried about her. Posted via the Android Central App
  • I feel like I have a free subscription to protectMyID
  • Site is down. Nice.
  • Thats probably the slickdeals effect
  • I would like to point out that in some states Tmobile uses another bureau other than Experian. Hawaii and CA at least I believe use Transunion.
  • I hope that is true. I live in CA.
  • Hope that is true as well! Posted via the Android Central App
  • yup, they pulled transunion when I signed up for postpaid plan. but thank you tmobile for that 2 year identity theft protection.
  • I'm honestly not sure now. Tmobile CS told me they still had sent my info to Experian and I was part of it, although my credit reports only list Tmobile under Transunion.
  • I think they gathered all the accounts opened at that time period between sept 2013 to sept 2015, rather than checking which state residents got which credit bureau pulled.
  • Possible and hoping that's the case. It would be time consuming to actually check each account to see which bureau was used.
  • I got some weird calls from someone claiming they work for experian.. Said I need to "confirm" my DOB, SSN, school I went to and something else before she could give me information on something. So yup, my info is out there. :( Just fyi the number was a 321 area code, I started getting the calls Oct 1 around noon. And hanging up just meant they call a couple of hours later. The callers sound extremely unprofessional and you hear a mess in the background (a call center).
  • Sign up for this free service. Also sign up for credit karma and view your free weekly credit reports (from equifax and transunion) and look for fraudulent credit inquiries on your credit report if you find any ask all three beaurus to put a fraud alert on your credit reports and credit inquiries from banks or companies trying to extend you or the identity theif credit or a loan will have to take additional steps to verify your I'd before they extend a credit line or loan in your name. Posted via the Android Central App
  • pretty soon i'm going to need a monitoring service to monitor all my credit monitoring services.
  • So I am supposed to trust the company that compromised my personal data to protect it now? Why didn't they do that before? I think T-mobile should find another company to provide credit protection.
  • This is so real. Got some group of hackers who got access to there server. Check them out at vasthack@gmail.com
  • You can hire them for your credit, grade, phone, mail, server, social media and mail hack
  • I can say any security app is very essential to get the best out of a mobile phone.and for its safety.I am using one app called Leo master safety guard.This app is helping me as i can hide any file like the media and data files from third party access.Other than that it can also lock the other apps and make it hidden.I found it good and here is there page: Facebook Page:
    https://www.facebook.com/pages/LEO-Privacy-Guard/1709302419294051 Official Website:
    http://www.leomaster.com/