T-Mobile to 'review relationship' with Experian following data breach

Out-Law News | 05 Oct 2015 | 5:00 pm | 1 min. read

T-Mobile will "institute a thorough review" of its relationship with data processor Experian after personal information about approximately 15 million people was exposed during an attack on Experian's systems, the company's chief executive has said.

John Legere said he was "incredibly angry" about the data breach, which exposed the names, addresses and dates of birth of both existing and previous T-Mobile customers in the US. Encrypted data such as customers' social security numbers, driver's licences or passport details, as well as credit assessment details, was also compromised, he said.

Experian processes credit applications made by prospective T-Mobile customers on behalf of the mobile provider. The breach affected customers who required a credit check for service or device financing between 1 September 2013 and 16 September 2015, Legere said.

"We will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected," Legere said. "I take our customer and prospective customer privacy very seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information. Experian has assured us that they have taken aggressive steps to improve the protection of their system and of our data."

T-Mobile said Experian was "contractually obligated to abide by stringent privacy and security practices" which were subject to its review. The company said that old credit data was retained by Experian on its behalf as a result of legal requirements.

"Experian maintains a historical record of the applicant data used by T-Mobile to make credit decisions," the company said. "The data provides the record of the applicant’s credit application with T-Mobile and is used to assist with credit decisions and respond to questions from applicants about the decision on their credit application. The data is required to be maintained for a minimum period of 25 months under credit laws."

Experian said it identified it had been the victim of a data breach on 15 September. It said it "notified appropriate federal and international law enforcement agencies" about the breach and "taken additional security steps to help prevent future incidents".