Frequently Asked Questions about the Experian Incident
Updated October 8, 2015
Overview and FAQs from Experian
Overview: Unauthorized Acquisition of Personal Information
- On Sept. 15, 2015 Experian discovered an unauthorized party accessed T-Mobile data housed in an Experian server.
- Experian’s consumer credit database was not accessed in this incident, and no payment card or banking information was obtained.
- Based on Experian’s investigation to date, the unauthorized access was an isolated incident over a limited period of time. It included access to a server that contained identifying information for some organizations and, primarily, personal information for individuals, including some current customers, and also consumers who applied for T-Mobile USA postpaid services or device financing, which require a credit check, from Sept. 1, 2013 through Sept. 16, 2015.
- Records containing a name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T-Mobile's own credit assessment were accessed. No payment card or banking information was obtained.
- Experian notified appropriate federal and international law enforcement agencies and has taken additional security steps to help prevent future incidents.
- Experian continues to investigate the theft, closely monitor their systems, and work with domestic and international law enforcement. Investigation of the incident is ongoing.
- Experian is notifying the individuals who may have been affected and is offering free credit monitoring for two years and identity resolution services for as long as the customer needs it. In addition, government agencies are being notified as required by law.
- Although there is no evidence at this time that the data has been used inappropriately, Experian strongly encourages affected individuals to enroll in the complimentary identity resolution services.
About the incident
Q: What happened?
A: Experian's network server was accessed by an unauthorized party. Based on Experian’s investigation to date, the unauthorized access was an isolated incident over a limited period of time. It included access to a server that contained identifying information for some organizations and, primarily, personal information for individuals, including some current customers, and also consumers who applied for T-Mobile USA postpaid services or device financing between Sept. 1, 2013 and Sept. 16, 2015.
Experian's consumer credit database was not accessed, and no other clients' data was accessed.
At this time, Experian has no evidence that T-Mobile's information has been used inappropriately.
As soon as Experian detected the unauthorized access, they notified law enforcement and initiated a full investigation. Experian continues to investigate the incident and are taking the necessary steps to prevent it from recurring.
Q: What information might have been compromised?
A: Based on Experian’s investigation to date, some organizations had unauthorized disclosure of identifying information and individuals, including some current customers, and also consumers who applied for services or device financing from Sept. 1, 2013 through Sept. 16, 2015, had unauthorized disclosure of their personal information. Records containing a name, address, Social Security number, date of birth, identification number (typically a driver's license, military ID, or passport number) and additional information used in T-Mobile's own credit assessment were downloaded. No payment card or banking information was obtained. Experian's consumer credit database was not accessed as part of this incident.
What does this mean for me?
Q: How do I know if I was impacted?
A: Based on Experian’s investigation to date, this incident impacted some organizations and individuals, including some current customers, and also consumers who applied for service or device financing at T-Mobile USA, Inc. from Sept. 1, 2013 through Sept. 16, 2015. Anyone who receives a letter notifying them that their personal information was compromised, and anyone who applied for postpaid service or financed a device during that time period described above, could be impacted.
Q: Isn’t all of my personal data that was exposed enough to steal my identity?
A: The information that was exposed could lead to an increased risk of identity theft. Although Experian has no evidence suggesting your personal information has been misused, they take their obligation to help you protect your information very seriously, and deeply regret that this has happened. Experian encourages all eligible individuals to enroll in the complimentary identity resolution services Experian has offered.
Q: What is Experian doing to help me protect my identity?
A: Experian is providing affected individuals with two years of free credit monitoring through ProtectMyID, as well as identity resolution services for as long as the customer needs it. This service provides you with a credit report from Experian upon enrollment, credit monitoring from all three nationwide credit reporting agencies, internet scans, access to specialized fraud resolution agents and more.
Those who believe they may have been affected by this incident can obtain more information or enroll in these services by:
- Visiting www.ProtectMyID.com/SecurityIncident
- Calling 866-369-0422 to enroll in ProtectMyID or the alternative identity protection product
- Sending an email with questions to email@example.com
Those who believe they are affected but have not received a notification via mail by Nov. 30, 2015 are encouraged to visit www.experian.com/T-MobileFacts to learn about enrollment in credit monitoring and identity protection or call to enroll via an agent. Please enroll by April 30, 2016.
Q: What else can I do to protect myself?
A: There are several additional steps you can take to protect your information:
- Always remain vigilant against threats of ID theft or fraud.
- If you suspect you are a victim of identity theft or fraud, you have the right to file and obtain a copy of the police report.
- Be alert to "phishing" by someone who acts like a colleague or friend and requests sensitive information over email, such as passwords, social security numbers, or bank account numbers. (Note: Experian or T-Mobile will NOT proactively reach out to you to ask for sensitive information over email or phone.)
- Consider placing a fraud alert or security freeze on your credit file.
The Federal Trade Commission (FTC) also provides information about how to avoid identity theft and what to do if you suspect your identity has been stolen. Contact the FTC at www.consumer.ftc.gov, 1-877-ID-THEFT (1-877-438-4338), or the FTC Identity Theft Clearinghouse, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580. You also can get information from your state's attorney general.
Q: Should I close my bank account?
A: There weren’t any bank account numbers contained in the file accessed, based on Experian’s investigation to date. However, it is always a good practice to monitor your banking activity.
Q: Should I close my credit card or other accounts?
A: There were no credit card numbers or account numbers contained in the file accessed, based on Experian’s investigation to date. However it is always a good practice to monitor your credit card activity.
Q: What should I do if someone calls me saying they're from T-Mobile, Experian, or another company, asking for additional information from me so they can help protect me?
A: Under no circumstances will Experian or T-Mobile call you or send you a message and ask for your personal information in connection with this incident. You may go to the website listed above or contact Experian or T-Mobile directly, but you should not provide personal information to anyone who calls you or sends you a message about this incident.
Fraud Alerts and Credit Freezes
Q: What is a fraud alert?
A: You may consider placing a 90-day fraud alert, also called an initial security alert, on your credit report.
- A 90-day fraud alert is free to anyone who is a victim of identity theft or fraud. It must be renewed after 90 days.
- It indicates you have reason to believe you are a victim of identity theft or fraud. The alert informs lenders that they should take additional precautions before extending credit in your name. You need only contact one of the national credit reporting agencies to add alerts to all three; they share fraud alerts.
Q: How do I put a 90-day fraud alert on my credit report?
You may place a 90-day fraud alert on your credit report by contacting any one of the three national consumer reporting agencies.
The easiest way to initiate an initial security alert is to use this online form: Experian initial security alert
You can also call Experian at 1-888- 397-3742
Q: What is a Security Freeze (Credit Freeze)?
A: You may also consider contacting each credit reporting agency directly if you wish to put in place a security freeze on your account.
Important consideration: It is important to note that a security freeze is an extreme measure. If you are planning to apply for credit or other services such as auto or home loans, rent, or utilities in the near future freezing your credit may not be advisable.
- You must request a freeze with each of the national credit reporting companies separately (initiating a freeze at one doesn’t register with the others, like a 90-day fraud alert does).
- When you freeze your credit, you are provided a personal identification number (PIN). Save this PIN in your records; you will need it to remove the freeze temporarily or permanently.
- A security freeze remains until you remove it.
Q: How do those impacted by the breach involving T-Mobile data place a security freeze on their Experian credit reports?
A: Those impacted by the breach involving T-Mobile data may place a security freeze at Experian – at no cost and without providing a police report – by calling 866-243-2385 or adding it online here. This does not place a security freeze on your Equifax or TransUnion credit reports. You must contact those credit reporting agencies independently for their specific procedures regarding security freezes.
Q: I’m confused, which option should I choose? A fraud alert or security freeze?
A: Both options are available to help you prevent fraud and recover from it. Read this blog post or review this infographic to better understand the differences between each option.
I'm still confused
Q: Why is Experian notifying me when I applied for credit at T-Mobile?
A: Experian is handling notification about this unauthorized access given that the information was stored on a server in one of their business units. Experian is also providing credit monitoring and identity resolution services to those individuals affected by this incident.
Q: Did T-Mobile have a breach?
A: There was no breach of T-Mobile's security or systems. Based on Experian’s investigation to date, the intrusion targeted an Experian server that happened to contain information on some organizations and individuals, including some current customers, and also consumers who applied for T-Mobile USA postpaid service or device financing, which require a credit check, from Sept. 1, 2013 through Sept. 16, 2015.
Q: Why is there a delay between the incident and notifying me that this happened?
A: Experian began the process of notification as soon as it was evident that sensitive identifying information had been exposed in the incident. Experian’s first priority was mitigation and containment, followed by conducting an investigation. This investigation was necessary to validate that Experian was able to successfully contain the incident and determine the scope.
This process required some time, and Experian wanted to be sure that they provided accurate information. Thus, Experian also took steps to evaluate the information acquired, as well as to identify current addresses to provide postal notice to impacted individuals. Experian will continue to update you if their ongoing investigation yields additional information.
Q: What's "additional information used in T-Mobile's own credit assessment?"
A: In order to evaluate the risk level of a credit applicant, T-Mobile uses a variety of information to determine the likelihood that a borrower will be able to pay. Information used to do this can include a consumer’s payment history, as well as information from Experian or other sources. That information is then compiled and used in their credit criteria when evaluating the risk level of an applicant. In this case, the data acquired included the fields containing those assessments, but not the underlying information used in calculating the assessment.
What Experian is doing to make it right
Q: What steps have you taken to remediate the issue?
A: Experian is addressing this issue with strengthened IT security, and they are providing those affected by this theft with the assistance they need. This has been a top priority for Experian. When Experian discovered this intrusion, they quickly notified law enforcement. Experian took several steps to mitigate the issue including but not limited to:
- assessing and removing malware or improper connectivity
- performing assessment of isolation procedures of the affected server and associated systems
- engaging U.S. and international law enforcement
- increased monitoring of the affected servers and associated systems
Q: What are you doing to prevent this from happening again?
A: Experian is committed to building customers for life and is working tirelessly to improve their security systems and processes. They have taken immediate steps to harden their environment. Experian continues to work to validate that their security measures and practices stand up to the high standards to which they hold themselves.
Q: Since Experian was compromised; can it effectively offer credit monitoring?
A: Absolutely. This was an isolated incident of one server and one clients' data. The consumer credit bureau was not accessed in this incident and no other clients' data was involved.
Q: Do you know who was behind this?
A: Experian does not know who the criminals were behind this incident, but Experian has contacted and are cooperating with law enforcement in their ongoing investigation into who was responsible.
Additional T-Mobile -specific FAQs
Q: How many T-Mobile customers were affected by the Experian incident?
A: The individuals impacted included applicants for T-Mobile services or device financing from September 1, 2013 through September 16, 2015, as well as some current customers. Experian is notifying the individuals who may have been affected but, based on Experian’s investigation to date, we know many of the approximately 15 million affected were not current T-Mobile customers, so we recommend that anyone who applied for service during this timeframe – or thinks they may have – get the free protection services being offered.
Q: What is T-Mobile doing to advise and assist individuals who may have been impacted?
A: Experian has taken full responsibility for the theft of data from its server. Experian is notifying the individuals who may have been affected, and offering free credit monitoring and identity restoration services to all of the individuals who are potentially at risk from this intrusion. In addition to working with Experian to ensure that company is taking the right steps, T-Mobile president and CEO John Legere has issued an open letter to be clear in our views, and we’ve trained our call center staff on proper handling of any inquiries regarding the Experian breach.
Q: Why was T-Mobile storing my information?
A: Experian maintains a historical record of the applicant data used by T-Mobile to make credit decisions. The data provides the record of the applicant’s credit application with T-Mobile and is used to assist with credit decisions and respond to questions from applicants about the decision on their credit application. The data is required to be maintained for a minimum period of 25 months under credit laws.
Q: What did T-Mobile do to make sure this information was safe?
A: T-Mobile takes privacy and security very seriously. All of our vendors are contractually obligated to abide by stringent privacy and security practices, and we regularly conduct reviews of vendor security practices as necessary. That was no different with Experian.
In this case, Experian took several steps to mitigate the issue including, but not limited to:
- ensuring web application firewalls are working as intended
- enhancing security of encryption keys
- limiting authorized access to the server
- engaging U.S. and international law enforcement and cybercrime authorities
- increased monitoring of the affected servers and associated systems
Q: Was the information password protected or encrypted?
A: Yes. Experian determined that, although Social Security and identification numbers were encrypted, the encryption may have been compromised.
Q: What specific measures did Experian have in place to protect your data?
A: Our vendors are contractually obligated to abide by stringent privacy and security practices, and we are extremely disappointed that hackers could access the Experian network. You will have to speak with Experian to get detailed information about their security practices. After this incident, we understand Experian has taken additional steps to mitigate the issue and has committed that the personal information of people applying for T-Mobile service is safe.
Q: Can I get free credit monitoring services, even if I’m not sure?
A: Absolutely. We want any T-Mobile customer or applicant for service who might be concerned to be able to get the free credit monitoring and identity restoration services Experian is offering at www.protectmyID.com/securityincident. Just go there and sign up for free. Or, you can call Experian at 866-369-0422 and ask to enroll in the alternative identity protection product.
Q; What happens after two years of credit monitoring?
A: Experian’s identity restoration services are available for as long as the customer needs it, even after the two-year credit monitoring expires.
Q: Why only two years?
A: It is typical to offer 1 year of credit monitoring, but we wanted to double that to ensure our customers are protected for a more extended period of time.
Q: I’m a current T-Mobile customer. How do I know if I’m affected?
A: Affected individuals should be notified via an official letter from Experian. Additionally, current T-Mobile customers who may be affected should see an alert in their MyT-Mobile account when they log in.
(Note: Neither Experian nor T-Mobile will proactively contact you to ask for private information from you via email or phone.)
Q: Can I request to have this data deleted?
A: The data is required to be maintained for a minimum period of 25 months under credit laws.
Q: How long have you worked with Experian?
A: We have worked with Experian for a number of years, as they are one of the leading global credit bureaus.
Q: Are you going to use a different vendor as a result of this incident?
A: We continually evaluate whether our suppliers offer the best value and performance. We are conducting a thorough investigation of this incident and will take appropriate next steps on behalf of applicants for T-Mobile products and services, and for our customers.