Q: How many T-Mobile customers were affected by the Experian incident?
A: The people impacted were applicants for T-Mobile services or device financing from September 1, 2013 through September 16, 2015. Based on Experian’s investigation to date, we know many of the approximately 15 million affected were not current T-Mobile customers, so we recommend that anyone who applied for service during this timeframe – or thinks they may have – get the free protection services being offered.
Q: What is T-Mobile doing to advise and assist individuals who may have been impacted?
A: Experian has taken full responsibility for the theft of data from its server. Experian is notifying the individuals who may have been affected, and offering free credit monitoring and identity restoration services to all of the consumers who are potentially at risk from this intrusion. In addition to working with Experian to ensure that company is taking the right steps, T-Mobile president and CEO John Legere has issued an open letter to be clear in our views, and we’ve trained our call center staff on proper handling of any inquiries regarding the Experian breach.
Q: Why was T-Mobile storing my information?
A: Experian maintains a historical record of the applicant data used by T-Mobile to make credit decisions. The data provides the record of the applicant’s credit application with T-Mobile and is used to assist with credit decisions and respond to questions from applicants about the decision on their credit application. The data is required to be maintained for a minimum period of 25 months under credit laws.
Q: What did T-Mobile do to make sure this information was safe?
A: T-Mobile takes privacy and security very seriously. All of our vendors are contractually obligated to abide by stringent privacy and security practices, and we regularly conduct reviews of vendor security practices as necessary. That was no different with Experian.
In this case, Experian took several steps including but not limited to:
- ensuring web application firewalls are working as intended
- enhancing security of encryption keys
- limiting authorized access to the server
- engaging U.S. and international law enforcement and cybercrime authorities
- increased monitoring of the affected servers and associated systems
Q: Was the information password protected or encrypted?
A: Yes. Experian determined that, although Social Security and identification numbers were encrypted, the encryption may have been compromised.
Q: What specific measures did Experian have in place to protect your data?
A: Our vendors are contractually obligated to abide by stringent privacy and security practices, and we are extremely disappointed that hackers could access the Experian network. You will have to speak with Experian to get detailed information about their security practices. After this incident, we understand Experian has taken additional steps to mitigate the issue and has committed that the personal information of people applying for T-Mobile service is safe.
Q: Can I get free credit monitoring services, even if I’m not sure?
A: Absolutely. We want any T-Mobile customer or applicant for service who might be concerned to be able to get the free credit monitoring and identity restoration services Experian is offering at www.protectmyID.com/securityincident. Just go there and sign up for free.
Q: What happens after two years of credit monitoring?
A: Experian’s identity restoration services are available indefinitely. Credit monitoring expires after two years.
Q: Why only two years?
A: It is typical to offer 1 year of credit monitoring, but we wanted to double that to ensure our customers are protected for a more extended period of time.
Q: I’m a current T-Mobile customer. How do I know if I’m affected?
A: Affected individuals should be notified via an official letter from Experian. Additionally, current T-Mobile customers who may be affected should see an alert in their MyT-Mobile account when they login.
(Note: Neither Experian nor T-Mobile will proactively contact you to ask for private information from you via email or phone.)
Q: Can I request to have my data at T-Mobile deleted from Experian’s servers?
A: The data is required to be maintained for a minimum period of 25 months under credit laws.
Q: What other T-Mobile customer data was on the server?
A: We understand from Experian that this particular information set was the only T-Mobile data compromised, based on their investigation to date. We can’t speak to what other data Experian had on their server.
Q: Has T-Mobile had a data breach before?
A: We have never experienced an incident of this scale or scope before. In this case, there has been no breach of T-Mobile’s systems or network. This intrusion took place on a server operated and maintained by Experian, who has accepted full responsibility for the incident. In 2014, Experian informed us of a breach from a company they acquired, who was also a T-Mobile vendor, impacting approximately 13,000 people. That incident occurred before Experian’s acquisition of that vendor.
Q: How long have you worked with Experian?
A: We have worked with Experian for a number of years, as they are one of the leading global credit bureaus.
Q: Are you going to use a different vendor as a result of this incident?
A: We continually evaluate whether our suppliers offer the best value and performance. We are conducting a thorough investigation of this incident and will take appropriate next steps on behalf of applicants for T-Mobile products and services, and for our customers.