Overview: Unauthorized Acquisition of Personal Information

On Sept. 15, 2015 Experian discovered an unauthorized party accessed T-Mobile
data housed in an Experian server.

Experian’s consumer credit database was not accessed in this incident, and no payment
card or banking information was obtained.

The unauthorized access was in an isolated incident over a limited period of time. It
included access to a server that contained personal information for consumers who applied
for T-Mobile USA postpaid services between Sept. 1, 2013 and Sept. 16, 2015.

Records containing a name, address, Social Security number, date of birth,
identification number (typically a driver’s license, military ID, or passport number)
and additional information used in T- Mobile's own credit assessment were
accessed. No payment card or banking information was obtained.

Experian notified appropriate federal and international law enforcement agencies and
has taken additional security steps to help prevent future incidents.

We continue to investigate the theft, closely monitor our systems, and work with
domestic and international law enforcement. Investigation of the incident is ongoing.

Experian is notifying the individuals who may have been affected and is offering free
credit monitoring and identity resolution services for two years. In addition, government
agencies are being notified as required by law.

Although there is no evidence that the data has been used inappropriately, Experian
strongly encourages affected consumers to enroll in the complimentary identity
resolution services. To get additional information or learn more please visit
www.experian.com/T-MobileFacts
1
Frequently Asked Questions
About the Incident
Q: What happened?
A: Experian’s network server was accessed by an unauthorized party.The unauthorized access
an isolated incident over a limited period of time. It included access to a server that contained
personal information for consumers who applied for T-Mobile USA postpaid services between
Sept. 1, 2013 and Sept. 16, 2015.
Experian’s consumer credit database was not accessed, and no other clients’ data was
accessed.
At this time, we have no indication that T-Mobile’s information has been used inappropriately.
As soon as Experian detected the unauthorized access, we notified law enforcement and
initiated a full investigation. We continue to investigate the incident and we are taking the
necessary steps to prevent it from recurring.
Q: What information might have been compromised?
A: Based on our investigation to date, some T-Mobile applicants who applied for services from
Sept. 1, 2013 through Sept. 16, 2015 had unauthorized disclosure of their personal information.
Records containing a name, address, Social Security number, date of birth, identification
number (typically a driver’s license, military ID, or passport number) and additional information
used in T-Mobile's own credit assessment were downloaded. No payment card or banking
information was obtained. Experian’s consumer credit database was not accessed as part of this
incident.
What does this mean for me?
Q: How do I know if I was impacted?
A: Based on our investigation to date, this incident may have impacted individuals who applied
for service at T-Mobile USA, Inc. from Sept. 1, 2013 through Sept. 16, 2015. If you applied for
postpaid service or financed a device during that time period, you could be impacted.
Q: Isn’t all of my personal data that was exposed enough to steal my identity?
A: The information that was exposed could lead to an increased risk of identity theft. Although
we have no evidence suggesting your personal information has been misused, we take our
obligation to help you protect your information very seriously, and deeply regret that this has
happened. We encourage all eligible consumers to enroll in the complimentary identity
resolution services we have offered.
2
Q: What is Experian doing to help me protect my identity?
A: We are providing affected T-Mobile applicants with two years of free credit monitoring and
identity resolution services through ProtectMyID. This service provides you with a credit report
from Experian upon enrollment, credit monitoring from all three nationwide credit reporting
agencies, internet scans, access to specialized fraud resolution agents and more.
Consumers affected by this incident can obtain more information or enroll in these services by:
 Visiting www.ProtectMyID.com/SecurityIncident
 Visiting www.experian.com/T-MobileFacts for frequently asked questions.
 Calling 866-369-0422 to get the assistance they need in understanding their options.
 Sending an email with questions to consumersupport@protectmyid.com.
Individuals who believe they are affected but have not received a notification via mail by Nov.
30, 2015 are encouraged to visit http://www.experian.com/T-MobileFacts to learn about
enrollment in credit monitoring and identity protection or call to enroll via an agent. Please
enroll by April 30, 2016.
Q: What else can I do to protect myself?
A: There are several additional steps you can take to protect your information:
 Always remain vigilant against threats of ID theft or fraud.
 If you suspect you are a victim of identity theft or fraud, you have the right to file and
obtain a copy of the police report.
 Be alert to “phishing” by someone who acts like a colleague or friend and requests
sensitive information over email, such as passwords, Social Security numbers, or
bank account numbers.
 (Note: Experian or T- Mobile will NOT ask for sensitive information over email.)
 Consider placing a fraud alert or security freeze on your credit file.
The Federal Trade Commission (FTC) also provides information about how to avoid identity
theft and what to do if you suspect your identity has been stolen. Contact the FTC at
www.consumer.ftc.gov, 1 877 ID THEFT (1 877 438 4338), or the FTC Identity Theft
Clearinghouse, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580. You also can get
information from your state’s attorney general – see <link>
Q: How do I put a fraud alert on my credit report?
A: You may consider placing a fraud alert on your credit report. This fraud alert statement
informs creditors of possible fraudulent activity within your report and requests that your creditor
contact you prior to establishing any accounts in your name.
You may place a fraud alert by calling any one of the three national consumer reporting
agencies. Contacting any one of the three agencies will place an alert on your file at all
three agencies:


Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
Experian: 1-888-EXPERIAN (397-3742); www.experian.com/fraud; P.O. Box 9554, Allen,
3

TX 75013
TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O.
Box 6790, Fullerton, CA 92834-6790
Q: What else can I do to protect my credit?
A: You may also consider contacting the credit reporting agencies directly if you wish to put in
place a security freeze on your account. A security freeze restricts all creditor access to your
account, but might also delay any requests you make for new accounts. Check with the credit
reporting agencies for their specific procedures regarding security freezes.
Q: Should I close my bank account?
A: There were no bank account numbers contained in the file accessed, based on our
investigation to date. However, it is always a good practice to monitor your banking activity.
Q: Should I close my credit card or other accounts?
A: There were no credit card numbers or account numbers contained in the file accessed,
based on our investigation to date. However it is always a good practice to monitor your
credit card activity.
Q: What should I do if someone calls me saying they’re from T-Mobile, Experian,
or another company, asking for additional information from me so they can help
protect me?
A: Under no circumstances will Experian or T-Mobile call you or send you a message and ask
for your personal information in connection with this incident. You may go to the website listed
above or contact Experian or T-Mobile directly, but you should not provide personal
information to anyone who calls you or sends you a message about this incident.
I’m Still Confused
Q: Why is Experian notifying me when I applied for credit at T-Mobile?
A: Experian is handling notification about this unauthorized access given that the information
was stored on a server in one of our business units. Experian is also providing credit monitoring
and identity resolution services to those individuals affected by this incident.
Q: Did T-Mobile Have a Breach?
A: There was no breach of T-Mobile’s security or systems. The unauthorized access occurred
on an Experian server that happened to contain information on some T-Mobile applicants,
based on our investigation to date.
Q: Why is there a delay between the incident and notifying me that this happened?
A: We began the process of notification as soon as it was evident that sensitive identifying
information had been exposed in the incident. Our first priority was mitigation and containment,
followed by conducting an investigation. This investigation was necessary to validate that we
4
were able to successfully contain the incident and determine the scope.
This process required some time, and we wanted to be sure that we provided accurate
information. Thus, we also took steps to evaluate the information acquired, as well as to
identify current addresses to provide postal notice to impacted individuals. We will continue to
update you if our ongoing investigation yields additional information.
Q: What’s “additional information used in T-Mobile's own credit assessment?”
A: In order to evaluate the risk level of a credit applicant, T-Mobile uses a variety of
information to determine the likelihood that a borrower will be able to pay. . Information used
to do this can include a consumer’s payment history, as well as information from Experian or
other sources. That information is then compiled and used in their credit criteria when
evaluating the risk level of an applicant. In this case, the data acquired included the fields
containing those assessments, but not the underlying information used in calculating the
assessment.
What We’re Doing to Make it Right
Q: What steps have you taken to remediate the issue?
A: We are addressing this issue with strengthened IT security, and we are providing those
affected by this theft with the assistance they need. This has been a top priority for Experian.
When Experian discovered this intrusion, we quickly notified law enforcement. Experian took
several steps to mitigate the issue including but not limited to:




assessing and removing any presence of malware or improper connectivity
performing assessment of isolation procedures of the affected server and associated
systems
engaging U.S. and international law enforcement
increased monitoring of the affected servers and associated systems
Q: What are you doing to prevent this from happening again?
A: Experian is committed to building customers for life and is working tirelessly to improve our
security systems and processes. We have taken immediate steps to harden our environment.
to ensure our security measures and practices stand up to the high standards to which we hold
ourselves.
Q: Since Experian was compromised; can it effectively offer credit monitoring?
A: Absolutely. This was an isolated incident of one server and one clients’ data. The consumer
credit bureau was not accessed in this incident and no other clients’ data was involved.
Q: Do you know who was behind this?
A: We do not know who the criminals were behind this incident, but we have contacted and are
cooperating with law enforcement in their ongoing investigation into who was responsible.
5
Additional T-Mobile-specific FAQs
Q: What is T-Mobile doing to advise and assist individuals who may have been impacted?
A: Experian is notifying the individuals who may have been affected, and offering free credit
monitoring and identity restoration services to all of the consumers who are potentially at risk
from this incident. In addition to working with Experian to ensure that company is taking the
right steps, T-Mobile president and CEO John Legere has issued an open letter to be clear in
our views, and we’ve trained our call center staff on proper handling of any inquiries regarding
unauthorized access of T-Mobile data.
Q: Why was T-Mobile storing my information?
A: Experian maintains a historical record of the applicant data used by T-Mobile to make
credit decisions. The data provides the record of the applicant’s credit application with TMobile and is used to assist with credit decisions. The data is required to be maintained for a
minimum period of 25 months under credit laws.
Q: What did T-Mobile do to make sure this information was safe?
A: T-Mobile takes privacy and security very seriously. All of our vendors are contractually
obligated to abide by stringent privacy and security practices, and we regularly conduct
reviews of vendor security practices as necessary.
In this case, Experian took several steps to mitigate the issue including but not limited to:
 ensuring web application firewalls are working as intended
 enhancing security of encryption keys
 limiting authorized access to the server
 engaging U.S. and international law enforcement
 increased monitoring of the affected servers and associated systems
Q: Was the information password protected or encrypted?
A: Yes. Although Social Security and identification numbers were encrypted, the encryption
may have been compromised.
Q: What specific measures did Experian have in place to protect your data?
A: Our vendors are contractually obligated to abide by stringent privacy and security
practices, and we are extremely disappointed that hackers could access the Experian
network. You will have to speak with Experian to get detailed information about their security
practices. After this incident, we understand Experian has taken additional steps to mitigate
the issue and has committed that the personal information of people applying for T-Mobile
service is safe.
Q: Can I request to have my data at T-Mobile deleted from Experian’s servers?
A: The data is required to be maintained for a minimum period of 25 months under credit
laws.
Q: What other T-Mobile customer data was on the server?
6
A: We understand from Experian that this particular information set was the only T-Mobile
data compromised, based on their investigation to date.
Q: Has T-Mobile had a data breach before?
A: We have never experienced an incident of this scale or scope before. In this case, there
has been no breach of T-Mobile’s systems or network. This intrusion took place on a server
operated and maintained by Experian, who has accepted full responsibility for the incident. In
2014, Experian informed us of a breach from a company they acquired, who was also a TMobile vendor, impacting approximately 13,000 people. That incident occurred before
Experian’s acquisition of that vendor.
Q: How long have you worked with Experian?
A: We have worked with Experian for a number of years, as they are one of the leading global
credit bureaus.
Q: Did Experian breach their contract with T-Mobile?
A: Our focus right now is ensuring that affected individuals have the information they need
from Experian, who is working directly with affected consumers on our behalf. Any contractual
matters between the two companies will be addressed at a later time. Our vendors are
contractually obligated to abide by stringent privacy and security practices, and we are
extremely disappointed that hackers could access the Experian network.
Q: Are you going to use a different vendor as a result of this incident?
A: We continually evaluate whether our suppliers offer the best value and performance. We
are conducting a thorough investigation of this incident and will take appropriate next steps on
behalf of applicants for T-Mobile products and services, and for our customers.
######
7