Experian Breached, 15 Million T-Mobile Customer's Data Exposed

New submitter Yuuki! writes: The Washington Post reports that T-Mobile's Credit Partner, Experian, has been breached revealing names, addresses, Social Security numbers, birth dates and driver's license and passport numbers for any customer who has applied for device financing or even services from T-Mobile which required a credit check. Both parties were quick to point out that no no credit card or banking data was stolen as part of the attack. The attack started back in September 2013 and was only just discovered on September 16, 2015. Both Experian and T-Mobile have posted statements on their websites and Experian is offering credit for two free years of identity resolution services and credit monitoring in the wake of the breach.

Two Free Years!

Two free years of credit monitoring after the bad guys had two free years of access! Great work, Experian!

Phew, I was worried there for a second.

[EmagGeek]

Thank God my Credit Card numbers weren't breached, because those are impossible to cancel and replace. I'm so thankful it was only my Passport number, Driver's License number, social security number, full legal name, birth date, and address that were stolen, because those are a snap to cancel and replace.

Re:Phew, I was worried there for a second.

I was born in Sarcastistan, you insensitive clod!

Identity Theft

[Jason+Levine]

As an identity theft victim, let me say that "no credit card or banking data was stolen" means nothing. With name, address, SSN, and birth date compromised (as well as driver's license and passport numbers), anyone can now open new lines of credit in the names of any of the 15 million people whose information was accessed. And the two years of "credit monitoring" will do almost nothing. Fraud alerts won't either - those are voluntary.

My recommendation if you are one of the 15 million people is to freeze your credit. This will stop ANYONE from opening a new line of credit under your name unless you first thaw your credit file. It's a royal pain in the rear when you need to do things like refinance a loan, but it's better than having a collections agency banging down your door because you owe $5,000 on a credit card that "you" opened.

Re:Identity Theft

[gtall]

I second this advice, I did this several years ago. It should be noted, however, that the three credit record agencies cannot prevent someone from getting credit in your name. The system relies on the intuition, and it is only that, that any self-respecting credit issuing entity will require a credit record (and a good one, at that) before issuing credit. If Joe's Bank and Bait Shop wants to issue someone a credit card in your name and doesn't give a flying rat's ass about your credit history, they are free to do this.

There is no national system to prevent credit from being authorized in your name, even to aliens from other worlds.

Fuck You, Experian

[drinkypoo]

Guess what they're not giving you? Your actual credit report. You just get the abbreviated version, so you can't actually look it over and see if this generally corrupt industry is fucking you. They will, however, sell you your credit report at a special members-only price. So what's happened here basically is that Experian is getting free advertising and T-Mobile is going to get off without punishment.

Fuck you Experian, and fuck you T-Mobile.

I already said fuck T-Mobile since they cancelled the PAYG plans I've been using, but fuck them twice now.

Are there ANY US mobile providers from whom I can buy a PAYG SIM which are not total fucks?

Re:inadequate

[gstoddart]

And as long as they have no legal liability for keeping this stuff safe, an insincere "I'm sorry" is all you will ever get. If corporations can hold your private data and have no consequences for having shit security, they will continue to do so.

For a credit agency to store that much personally identifying information and be hacked tells me that agencies like this need to have some pretty severe penalties for shit like this ... because they have pretty much everything required to steal your identify.

If we're going to entrust this data to these entities, we should sure as hell make certain we can actually trust them with it. And I would say that Experian has more or less demonstrated themselves to be incompetent to hold this information.

It really is time to stop letting companies treat this as "their" data, and realize they have an obligation to safeguard our data, and to be legally responsible when they fail to do so.

Requirement to be forgotten

One of the best things that can be done to prevent data breaches is require that data be deleted after a certain time. I don't see a good reason why 15 million customers should have their data retained after the credit check is complete. It won't stop breaches, but it would limit their scope. There also needs to be severe penalties for negligent security or failing to notify customers in a timely manner. Better yet, eliminate social security numbers for identification altogether outside of social security and (maybe) tax purposes. And it's no surprise that a credit bureau was attacked. They're gold mines of information waiting to be compromised. I'd like to see particularly strong regulation of these companies. Consumers don't really get to opt in, but this personal information is stored and can be compromised easily. That doesn't seem fair at all to me.

Experian Credit Breach

Experian is offer a two year free credit monitoring in connection with the breach of their system. In order to sign up for the two year credit monitoring they require you to provide your full identity; SS number, birth date, etc. Isn't that just the information that was just compromised in their system??? How do they think they can be trusted??? This does not resolve the problem of their lack of network security with sensitive information.