T-Mobile & Experian Hack: Should You Be Worried?

In short, yes, you should be worried – but not too much.

A brief overview of the hack’s facts

• Who got breached? T-Mobile data was stolen via a hack through Experian, one of the biggest credit reporting companies in the world
• Who was affected? T-Mobile customers in the United States who applied for a post-paid cell phone plan or had financed a mobile device within the last two years
  • From which time period was the data stolen?  September 1, 2013 – September 16, 2015; if you were a T-Mobile customer outside of that time period, your information should be safe
  • How many customers had their data stolen? 15 million
• Who is responsible for the hack? At this time, it is still unclear who the actual perpetrator of the hack was; Experian has been referring to the unknown hacker as “an unauthorized party”
• What was stolen? Customers’ names, addresses, Social Security numbers, dates of birth, identification numbers (such as driver’s licenses, military IDs, or passport numbers), and other information T-Mobile needed for credit assessment
  • What was not stolen? Neither debit/credit card information nor banking information of T-Mobile customers was stolen in this hack. It should also be noted that Experian’s own consumer credit data was not compromised – neither was data processed by Experian for other clients
• When did the hack occur? The actual dates of the hack are still unclear at the moment, but Experian has said that the hack was “an isolated incident over a limited period of time.”
• When was the hack discovered? September 15, 2015
• When was the hack reported? October 1, 2015
• How did the hack occur? At this point, it is unclear exactly how the hack – the unauthorized access of one of Experian’s network servers – occurred, but T-Mobile has said that Experian’s method of data encryption may have been compromised
  
  

What this hack means for T-Mobile Customers

Although no credit card or bank information was stolen in this hack, all the information a criminal would need to accomplish various fraudulent activities – such as opening credit card accounts or applying for bank loans – was stolen. What this means is that if your stolen identity is going to be used by criminals, you might not notice any fraudulent activity in your name until days, weeks, maybe even months down the road.

Thankfully, however, since your credit and bank information were not stolen, you do not need to worry about closing the credit card and bank accounts you already have.

What should you do if your identity was stolen?

Experian has offered two years of free credit monitoring and identity theft protection to those affected by this hack. Although a nice gesture, the irony remains that those who have had their identities stolen will need to give additional personal information to the very same company that got hacked in order to “protect” their identities through that company. Furthering the irony, Experian published a press release on September 22, 2015 (a week after the hack was discovered and nine days before reporting the hack) entitled “Experian Data Breach Resolution releases its Annual 2015-2016 Data Breach Response Guide” and, on September 30, 2015, hosted a session called “Not Your Everyday Breach: Managing Incidents with Unique Circumstances” at the International Association of Privacy Professionals (IAPP) Conference.

Even John Legere, the CEO of T-Mobile, senses the irony and is currently working on finding an alternative to Experian for affected customers:

I hear you re: Experian as service protection option. I am moving as fast as possible to get an alternate option in place by tomorrow.

— John Legere (@JohnLegere) October 1, 2015

Although you may feel powerless if your identity has potentially been stolen, you can still take any or all of the following steps to secure your identity through credit reporting companies – it is better to do something than nothing in this case:

• In accordance with federal law, all credit reporting companies are required to provide you with a free copy of your credit report every 12 months upon request. Although Experian has reported that there has been no evidence thus far that any of the stolen data has been used fraudulently, it would still be extremely worthwhile to ask for your free credit report (if you haven’t asked for one in the past 12 months) from all the credit bureaus during the next few weeks.
• Consider placing a “fraud alert” on your credit report. A fraud alert alerts creditors that when someone opens a credit card account, applies for a loan, or does anything that requires pulling a credit report the creditors will need additional steps to verify that person’s identity.
  • Alternatively, consider placing a “security freeze” on your credit reports. A security freeze effectively blocks any potential creditors from viewing your credit report unless you “unfreeze” your report. Although this method may cost you money – security freeze fees range from $0 to $15 – it can stop most if not all fraudulent activity from occurring in the first place since creditors are unlikely to give credit or loans if they are unable to view the credit report. This method may be a hassle when it comes to applying for credit or loans yourself (since you’d have to unfreeze your reports first) but it is the most effective if you’re very worried about your identity being stolen.
• Until T-Mobile announces an alternative, you should consider signing up for Experian’s offer for free credit monitoring and identity protection, despite the irony. They have asked the affected individuals to sign up for their two years of free credit monitoring offer by April 30, 2016. Click here or call 866-369-0422 to start the process of redeeming your two free years.

You should be aware that monitoring your accounts for fraudulent activity is a defensive move: it doesn’t stop fraud happening under your name in the first place. If a flag is raised while monitoring your identity and accounts, it is too late: your identity has been already been compromised. With credit monitoring, the credit monitoring company will alert you of questionable activity and investigate if requested. Depending on the credit bureau, the alleged fraudulent activity should remain hidden from view from future creditors (so you can continue your own credit-related activities without being affected) until the matter is resolved.

One final note about the hack: affected customers of the hack should be aware that neither T-Mobile nor Experian will, in regards to the hack:

• Call you
• Send you a message
• Ask for your personal information

Under no circumstances should you give out any personal information to anyone who contacts you using the aforementioned methods. Experian, however, will be sending (snail) mail out to all affected individuals by November 30, 2015.

Additional, official information and announcements about the hack:

• T-Mobile CEO John Legere’s Letter to Consumers
• T-Mobile-specific FAQs
• Experian Press Release
• Public Fact Sheet by Experian