October 2, 2015

Kicking off National Cybersecurity Awareness Month with a bang, credit bureau and consumer data broker Experian North America disclosed Thursday that a breach of its computer systems exposed approximately 15 million Social Security numbers and other data on people who applied for financing from wireless provider T-Mobile USA Inc.

experianExperian said the compromise of an internal server exposed names, dates of birth, addresses, Social Security numbers and/or drivers’ license numbers, as well as additional information used in T-Mobile’s own credit assessment. The Costa Mesa, Calif.-based data broker stressed that no payment card or banking details were stolen, and that the intruders never touched its consumer credit database.

Based on the wording of Experian’s public statement, many publications have reported that the breach lasted for two years from Sept. 1, 2013 to Sept. 16, 2015. But according to Experian spokesperson Susan Henson, the forensic investigation is ongoing, and it remains unclear at this point the exact date that the intruders broke into Experian’s server.

Henson told KrebsOnSecurity that Experian detected the breach on Sept. 15, 2015, and confirmed the theft of a single file containing the T-Mobile data on Sept. 22, 2015.

T-Mobile CEO John Legere blasted Experian in a statement posted to T-Mobile’s site. “Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” Legere wrote.

WHAT YOU CAN DO

Experian said it will be notifying affected consumers by snail mail, and that it will be offering affected consumers free credit monitoring through its “Protect MyID” service. Take them up on this offer if you want , but I would strongly encourage anyone affected by this breach to instead place a security freeze on their credit files at Experian and at the other big three credit bureaus, including Equifax, Trans Union and Innovis.

Experian’s offer to sign victims up for its credit monitoring service to address a breach of its own making is pretty rich. Moreover, credit monitoring services aren’t really built to prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score.

If after ordering a free copy of your credit report at annualcreditreport.com you find unauthorized activity on your credit file, by all means take advantage of the credit monitoring service, which should assist you in removing those inquiries from your credit file and restoring your credit score if it was dinged in the process.

But as I explain at length in my story How I Learned to Stop Worrying and Embrace the Security Freeze, credit monitoring services aren’t really built to stop thieves from opening new lines of credit in your name.

If you wish to block thieves from using your personal information to obtain new credit in your name, freeze your credit file with the major bureaus. For more on how to do that and for my own personal experience with placing a freeze, see this piece.

I will be taking a much closer look at Experian’s security (or lack thereof) in the coming days, and my guess is lawmakers on Capitol Hill will be following suit. This is hardly first time lax security at Experian has exposed millions of consumer records. Earlier this year, a Vietnamese man named Hieu Minh Ngo was sentenced to 13 years in prison for running an online identity theft service that pulled consumer data directly from an Experian subsidiary. Experian is now fighting off a class-action lawsuit over the incident.

During the time that ID theft service was in operation, customers of Ngo’s service had access to more than 200 million consumer records. Experian didn’t detect Ngo’s activity until it was notified by federal investigators that Ngo was an ID thief posing as a private investigator based in the United States. The data broker failed to detect the anomalous activity even though Ngo’s monthly payments for consumer data lookups his hundreds of customers conducted each month came via wire transfers from a bank in Singapore.


74 thoughts on “Experian Breach Affects 15 Million Consumers

  1. Tom

    Why doesn’t Experian offer a freeze for free for affected customers, instead of only credit monitoring… which BTW also seems to be a marketing platform to sell other services (like “a special member discounted rate for your credit score”).

  2. Ryan

    To take advantage of the “Protect MyID” free credit monitoring you have to provide your credit card details. So am I the only one that feels like they are saying “Hey, we lost a bunch of you sensitive information, but if you give us your credit card info too, we will … send you an email if it happens again?”

  3. Krissia

    Honestly, what a crappy offer! they need to offer their affected customers FREE freezes. A freeze on your credit report is by far a more secure and affective method against ID theft.

  4. John

    Everyone should write to their lawmakers to force these credit reporting agencies to provide a credit file locking feature for free. After all they are making money off of our private data. Equifax already has this feature but only if you pay for their Complete Premier Plan which costs $20 per month.

    https://help.equifax.com/app/answers/detail/a_id/63/~/locking-your-equifax-credit-report-with-credit-report-control

    Search for “Equifax Credit Report Control” or see footnote number 7 here http://www.equifax.com/premier/

    1. -stephen

      YES! All of these “services” are already free of charge in South Carolina, so it is possible. Call your state legislators and tell them to kick the credit reporting agencies out of bed and pass the laws that YOU need to protect YOUR data without sucking more money our of YOUR pockets. Oh, am I repeating myself? Well, the crooks don’t have any problem repeating themselves, and the data holders don’t have any problem repeatedly apologizing for the breaches and offering to pay millions to the credit reporting agencies. Find out who your state legislators are and call them TODAY!

  5. Richard

    “names, dates of birth, addresses, Social Security numbers and/or drivers’ license numbers,…”. Isn’t that ENOUGH of your information?

  6. Lee Lipsey

    Re Experian data breach …

    Recently I became eligible for Social Security benefits. When I went to SSA.gov to set up my online account … guess what …. it turns out that SSA uses Experian to authenticate my identity.

    Since the bad guys already got my personal data in the recent Anthem data breach …. I can only laugh at Social Security depending on Experian to certify my identity.

  7. Kathy

    Unbelievable. For the second time in a year, my social security number has been stolen. And they are offering free “credit monitoring?” For 2 years? And boasting that no credit information was given out? Because what, that’s much worse than giving out social security numbers, right? Luckily, all our social security numbers will expire after 2 years, so we will no longer be at risk of identity theft FOR THE REST OF OUR LIVES, right? Oh, and it’s OK, if we don’t want to be at risk, we can just PAY Experian to lock up our credit.

  8. John Whiteside

    When is the class action suit being filed on these inept and callous bastards? Sign me up and stick your paltry and weak offer where the sun dont shine!

Comments are closed.