Experian Plc (EXPN.L), the world's biggest consumer credit monitoring firm, on Thursday disclosed a massive data breach that exposed sensitive personal data of some 15 million people who applied for service with T-Mobile US Inc TMUS.N.
Connecticut's attorney general said he will launch an investigation into the breach.
Experian said it discovered the theft of the T-Mobile customer data from one of its servers on Sept. 15. The computer stored information about some 15 million people who had applied for service with telecoms carrier T-Mobile during the prior two years, Experian said.
T-Mobile Chief Executive John Legere said the data included names, addresses, birth dates, Social Security numbers, drivers license numbers and passport numbers. Such information is coveted by criminals for use in identity theft and other types of fraud.
"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian," T-Mobile Chief Executive John Legere said in a note to customers posted on the company's website. "But right now my top concern and first focus is assisting any and all consumers affected." (t-mo.co/1M4FSSd)
The Experian breach is the latest in a string of massive hacks that have each claimed millions - and sometimes tens of millions - of customer records, including the theft of personnel records from the U.S. government this year, a 2014 breach on JPMorgan Chase (JPM.N) and a 2013 attack on Target Corp's (TGT.N) cash register systems.
It is also the second massive breach linked to Experian. An attack on an Experian subsidiary that began before Experian purchased it in 2012 exposed the Social Security numbers of 200 million Americans and prompted an investigation by at least four states, including Connecticut.
Experian on Thursday said it had launched an investigation into the new breach and consulted with law enforcement.
The company offered two years of credit monitoring to all affected individuals. People, however, said that they did not want credit protection from a company that had been breached.
Legere responded by promising to seek alternatives.
"I hear you," he said on Twitter. "I am moving as fast as possible to get an alternate option in place by tomorrow."
Experian said the breach did not affect its vast consumer credit database.
Legere said no payment card or banking information was taken.
T-Mobile had nearly 59 million customers as of June 30. A representative for the carrier said that not all 15 million of the affected applicants had opened accounts with T-Mobile.
The telecom carrier's shares were down 1.3 percent in extended trading after closing little changed at $40.13 on the New York Stock Exchange.
In the earlier data breach affecting Experian, a Vietnamese national confessed in U.S. court last year to using a false identity to opening an account with the unit, known as Court Ventures, sometime before Experian purchased it in 2012.
A spokeswoman for Connecticut Attorney General George Jepsen said on Thursday that it would investigate the latest attack.
The spokeswoman, Jaclyn Falkowski, declined to elaborate on the T-Mobile incident, but said the investigations of the Court Ventures matter "is active and ongoing."
(In 7th and 16th paragraphs, this version of the story corrects to show that the previous Experian data breach began before Experian purchased the company in 2012, not that it occurred in 2014.)
(Reporting by Jim Finkle; Additional reporting by Karen Friefeld and Arathy Nair; Editing by Leslie Adler)