Cyber Incident Victim: Experian

On September 15, 2015, Experian discovered unauthorized access to a server containing highly sensitive personal data for over 15 million U.S. consumers who applied for T-Mobile postpaid services between September 1, 2013, and September 16, 2015. The breach occurred within Experian’s infrastructure while the company processed credit applications on behalf of T-Mobile, though T-Mobile confirmed its own systems and networks were not compromised. Attackers exfiltrated names, addresses, Social Security numbers, birth dates, and identification documents including driver’s licenses, passports, or military IDs. Experian acknowledged that while Social Security numbers and ID numbers were encrypted, investigators determined this encryption might have been compromised during the intrusion. This marked at least the third data breach disclosed by Experian since March 2013. The company initiated an investigation but had not finalized its findings at the time of public disclosure on October 1, 2015.

T-Mobile CEO John Legere publicly condemned the breach, emphasizing his anger and commitment to assisting affected consumers while announcing a comprehensive review of the company’s relationship with Experian. Experian offered two years of free credit monitoring to impacted individuals and published a FAQ detailing steps to place fraud alerts on credit files. Security journalist Brian Krebs criticized the credit monitoring as insufficient, advocating instead for fraud alerts due to their greater effectiveness in preventing identity theft. The breach notification cautioned that initial assessments often underestimate the full scope of such incidents, leaving open the possibility of additional compromised records or services. No evidence suggested theft of payment card numbers or bank account information during the intrusion.