Overview: Unauthorized Acquisition of Personal Information On Sept. 15, 2015 Experian discovered an unauthorized party accessed T-Mobile data housed in an Experian server. Experian’s consumer credit database was not accessed in this incident, and no payment card or banking information was obtained. The unauthorized access was in an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services between Sept. 1, 2013 and Sept. 16, 2015. Records containing a name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T- Mobile's own credit assessment were accessed. No payment card or banking information was obtained. Experian notified appropriate federal and international law enforcement agencies and has taken additional security steps to help prevent future incidents. We continue to investigate the theft, closely monitor our systems, and work with domestic and international law enforcement. Investigation of the incident is ongoing. Experian is notifying the individuals who may have been affected and is offering free credit monitoring and identity resolution services for two years. In addition, government agencies are being notified as required by law. Although there is no evidence that the data has been used inappropriately, Experian strongly encourages affected consumers to enroll in the complimentary identity resolution services. To get additional information or learn more please visit www.experian.com/T-MobileFacts 1 Frequently Asked Questions About the Incident Q: What happened? A: Experian’s network server was accessed by an unauthorized party.The unauthorized access an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services between Sept. 1, 2013 and Sept. 16, 2015. Experian’s consumer credit database was not accessed, and no other clients’ data was accessed. At this time, we have no indication that T-Mobile’s information has been used inappropriately. As soon as Experian detected the unauthorized access, we notified law enforcement and initiated a full investigation. We continue to investigate the incident and we are taking the necessary steps to prevent it from recurring. Q: What information might have been compromised? A: Based on our investigation to date, some T-Mobile applicants who applied for services from Sept. 1, 2013 through Sept. 16, 2015 had unauthorized disclosure of their personal information. Records containing a name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T-Mobile's own credit assessment were downloaded. No payment card or banking information was obtained. Experian’s consumer credit database was not accessed as part of this incident. What does this mean for me? Q: How do I know if I was impacted? A: Based on our investigation to date, this incident may have impacted individuals who applied for service at T-Mobile USA, Inc. from Sept. 1, 2013 through Sept. 16, 2015. If you applied for postpaid service or financed a device during that time period, you could be impacted. Q: Isn’t all of my personal data that was exposed enough to steal my identity? A: The information that was exposed could lead to an increased risk of identity theft. Although we have no evidence suggesting your personal information has been misused, we take our obligation to help you protect your information very seriously, and deeply regret that this has happened. We encourage all eligible consumers to enroll in the complimentary identity resolution services we have offered. 2 Q: What is Experian doing to help me protect my identity? A: We are providing affected T-Mobile applicants with two years of free credit monitoring and identity resolution services through ProtectMyID. This service provides you with a credit report from Experian upon enrollment, credit monitoring from all three nationwide credit reporting agencies, internet scans, access to specialized fraud resolution agents and more. Consumers affected by this incident can obtain more information or enroll in these services by: Visiting www.ProtectMyID.com/SecurityIncident Visiting www.experian.com/T-MobileFacts for frequently asked questions. Calling 866-369-0422 to get the assistance they need in understanding their options. Sending an email with questions to consumersupport@protectmyid.com. Individuals who believe they are affected but have not received a notification via mail by Nov. 30, 2015 are encouraged to visit http://www.experian.com/T-MobileFacts to learn about enrollment in credit monitoring and identity protection or call to enroll via an agent. Please enroll by April 30, 2016. Q: What else can I do to protect myself? A: There are several additional steps you can take to protect your information: Always remain vigilant against threats of ID theft or fraud. If you suspect you are a victim of identity theft or fraud, you have the right to file and obtain a copy of the police report. Be alert to “phishing” by someone who acts like a colleague or friend and requests sensitive information over email, such as passwords, Social Security numbers, or bank account numbers. (Note: Experian or T- Mobile will NOT ask for sensitive information over email.) Consider placing a fraud alert or security freeze on your credit file. The Federal Trade Commission (FTC) also provides information about how to avoid identity theft and what to do if you suspect your identity has been stolen. Contact the FTC at www.consumer.ftc.gov, 1 877 ID THEFT (1 877 438 4338), or the FTC Identity Theft Clearinghouse, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580. You also can get information from your state’s attorney general – see <link> Q: How do I put a fraud alert on my credit report? A: You may consider placing a fraud alert on your credit report. This fraud alert statement informs creditors of possible fraudulent activity within your report and requests that your creditor contact you prior to establishing any accounts in your name. You may place a fraud alert by calling any one of the three national consumer reporting agencies. Contacting any one of the three agencies will place an alert on your file at all three agencies: Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241 Experian: 1-888-EXPERIAN (397-3742); www.experian.com/fraud; P.O. Box 9554, Allen, 3 TX 75013 TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790 Q: What else can I do to protect my credit? A: You may also consider contacting the credit reporting agencies directly if you wish to put in place a security freeze on your account. A security freeze restricts all creditor access to your account, but might also delay any requests you make for new accounts. Check with the credit reporting agencies for their specific procedures regarding security freezes. Q: Should I close my bank account? A: There were no bank account numbers contained in the file accessed, based on our investigation to date. However, it is always a good practice to monitor your banking activity. Q: Should I close my credit card or other accounts? A: There were no credit card numbers or account numbers contained in the file accessed, based on our investigation to date. However it is always a good practice to monitor your credit card activity. Q: What should I do if someone calls me saying they’re from T-Mobile, Experian, or another company, asking for additional information from me so they can help protect me? A: Under no circumstances will Experian or T-Mobile call you or send you a message and ask for your personal information in connection with this incident. You may go to the website listed above or contact Experian or T-Mobile directly, but you should not provide personal information to anyone who calls you or sends you a message about this incident. I’m Still Confused Q: Why is Experian notifying me when I applied for credit at T-Mobile? A: Experian is handling notification about this unauthorized access given that the information was stored on a server in one of our business units. Experian is also providing credit monitoring and identity resolution services to those individuals affected by this incident. Q: Did T-Mobile Have a Breach? A: There was no breach of T-Mobile’s security or systems. The unauthorized access occurred on an Experian server that happened to contain information on some T-Mobile applicants, based on our investigation to date. Q: Why is there a delay between the incident and notifying me that this happened? A: We began the process of notification as soon as it was evident that sensitive identifying information had been exposed in the incident. Our first priority was mitigation and containment, followed by conducting an investigation. This investigation was necessary to validate that we 4 were able to successfully contain the incident and determine the scope. This process required some time, and we wanted to be sure that we provided accurate information. Thus, we also took steps to evaluate the information acquired, as well as to identify current addresses to provide postal notice to impacted individuals. We will continue to update you if our ongoing investigation yields additional information. Q: What’s “additional information used in T-Mobile's own credit assessment?” A: In order to evaluate the risk level of a credit applicant, T-Mobile uses a variety of information to determine the likelihood that a borrower will be able to pay. . Information used to do this can include a consumer’s payment history, as well as information from Experian or other sources. That information is then compiled and used in their credit criteria when evaluating the risk level of an applicant. In this case, the data acquired included the fields containing those assessments, but not the underlying information used in calculating the assessment. What We’re Doing to Make it Right Q: What steps have you taken to remediate the issue? A: We are addressing this issue with strengthened IT security, and we are providing those affected by this theft with the assistance they need. This has been a top priority for Experian. When Experian discovered this intrusion, we quickly notified law enforcement. Experian took several steps to mitigate the issue including but not limited to: assessing and removing any presence of malware or improper connectivity performing assessment of isolation procedures of the affected server and associated systems engaging U.S. and international law enforcement increased monitoring of the affected servers and associated systems Q: What are you doing to prevent this from happening again? A: Experian is committed to building customers for life and is working tirelessly to improve our security systems and processes. We have taken immediate steps to harden our environment. to ensure our security measures and practices stand up to the high standards to which we hold ourselves. Q: Since Experian was compromised; can it effectively offer credit monitoring? A: Absolutely. This was an isolated incident of one server and one clients’ data. The consumer credit bureau was not accessed in this incident and no other clients’ data was involved. Q: Do you know who was behind this? A: We do not know who the criminals were behind this incident, but we have contacted and are cooperating with law enforcement in their ongoing investigation into who was responsible. 5 Additional T-Mobile-specific FAQs Q: What is T-Mobile doing to advise and assist individuals who may have been impacted? A: Experian is notifying the individuals who may have been affected, and offering free credit monitoring and identity restoration services to all of the consumers who are potentially at risk from this incident. In addition to working with Experian to ensure that company is taking the right steps, T-Mobile president and CEO John Legere has issued an open letter to be clear in our views, and we’ve trained our call center staff on proper handling of any inquiries regarding unauthorized access of T-Mobile data. Q: Why was T-Mobile storing my information? A: Experian maintains a historical record of the applicant data used by T-Mobile to make credit decisions. The data provides the record of the applicant’s credit application with TMobile and is used to assist with credit decisions. The data is required to be maintained for a minimum period of 25 months under credit laws. Q: What did T-Mobile do to make sure this information was safe? A: T-Mobile takes privacy and security very seriously. All of our vendors are contractually obligated to abide by stringent privacy and security practices, and we regularly conduct reviews of vendor security practices as necessary. In this case, Experian took several steps to mitigate the issue including but not limited to: ensuring web application firewalls are working as intended enhancing security of encryption keys limiting authorized access to the server engaging U.S. and international law enforcement increased monitoring of the affected servers and associated systems Q: Was the information password protected or encrypted? A: Yes. Although Social Security and identification numbers were encrypted, the encryption may have been compromised. Q: What specific measures did Experian have in place to protect your data? A: Our vendors are contractually obligated to abide by stringent privacy and security practices, and we are extremely disappointed that hackers could access the Experian network. You will have to speak with Experian to get detailed information about their security practices. After this incident, we understand Experian has taken additional steps to mitigate the issue and has committed that the personal information of people applying for T-Mobile service is safe. Q: Can I request to have my data at T-Mobile deleted from Experian’s servers? A: The data is required to be maintained for a minimum period of 25 months under credit laws. Q: What other T-Mobile customer data was on the server? 6 A: We understand from Experian that this particular information set was the only T-Mobile data compromised, based on their investigation to date. Q: Has T-Mobile had a data breach before? A: We have never experienced an incident of this scale or scope before. In this case, there has been no breach of T-Mobile’s systems or network. This intrusion took place on a server operated and maintained by Experian, who has accepted full responsibility for the incident. In 2014, Experian informed us of a breach from a company they acquired, who was also a TMobile vendor, impacting approximately 13,000 people. That incident occurred before Experian’s acquisition of that vendor. Q: How long have you worked with Experian? A: We have worked with Experian for a number of years, as they are one of the leading global credit bureaus. Q: Did Experian breach their contract with T-Mobile? A: Our focus right now is ensuring that affected individuals have the information they need from Experian, who is working directly with affected consumers on our behalf. Any contractual matters between the two companies will be addressed at a later time. Our vendors are contractually obligated to abide by stringent privacy and security practices, and we are extremely disappointed that hackers could access the Experian network. Q: Are you going to use a different vendor as a result of this incident? A: We continually evaluate whether our suppliers offer the best value and performance. We are conducting a thorough investigation of this incident and will take appropriate next steps on behalf of applicants for T-Mobile products and services, and for our customers. ###### 7