Cybersecurity Lesson from T-Mobile and Experian

Recently, the whole world and especially the U.S. citizens have been stirred up by the news about the leakage of credit history data of 15 million subscribers of the international mobile operator T-Mobile.

What is notable in this story is that the information was not stolen directly from T-Mobile’s database but from the servers of its partner – Experian. Considering this example in details gives a valuable cybersecurity lesson, so let’s review it now.

The popular proverb says, ‘No man is an island’. It is much easier to solve any task together. Not everyone and not always has a possibility, time and enough knowledge to solve the specific problem personally and comprehensively. Thus, to reach success in business, large companies often cooperate with other companies that provide them with certain types of services.

Depending on the type of services, some providers may ask the registration data of the company or the personal data of its employees and customers. It is to be noted that two-factor authentication provider Protectimus is not among such partners. During the authentication process, Protectimus does not require and doesn’t transfer any users’ personal data. It is reasonable, since often we enter the requested information automatically, without giving due attention to how and where these data will be stored, who can get this information, and what consequences this may entail.

How T-Mobile users’ data have been stolen

A good example of such carelessness became the cooperation between the T-Mobile Company, working in the field of mobile communications, and global information service Experian, which assessed the customers’ credit history before they signed a contract with T-Mobile.

This partnership resulted in a large scandal – personal information of 15 million T-Mobile customers was stolen by unknown violators from Experian server. The stolen data included names, dates, birthdays, addresses of the clients, as well as encrypted social security numbers, passport details and driver’s license numbers of people who used or intended to use the T-Mobile service in the period from September 01, 2013 to September 16, 2015.

This sensational event demonstrated the basic lesson of cyber security – each and everyone should take care of data security. Hackers are crafty, and if they can’t find a gap in the system of one company, then they’ll find it in a partner’s company and will get all the information they need. Thus, everyone should think whether their data is in reliable hands, whether they don’t let their partners down, and their partners don’t let them down.

So, we cleared up that the main lesson of cybersecurity is that both partners are obliged to take care of the data protection, and keep information on resources carefully protected from compromise. For example, Experian’s mistake led to a chain of troubles for its innocent partner and its clients.

It is still unknown how the hackers managed to gain access to the Experian servers, and moreover, to gain access to the T-Mobile encrypted files. But it is clear that the company did not fully take care of the security of confidential information, which should be stored under lock and key.

In connection with the situation, it is our duty to remind you that one of the key elements of data protection is two-factor authentication of users via hardware tokens or special applications for smartphones, which generate one-time passwords for 2-factor authentication. Using 2FA is a serious obstacle for an attacker. It’s difficult to get through it, except that the hacker manages to take over one of the company employees tokens.

What measures should the victims take to protect themselves from ‘identity theft’?

Having learned about the hack, T-Mobile CEO John Legere made a statement about his serious approach to existing and potential users data protection. So to avoid new hacker attacks, T-Mobile intends to revise its business relations with Experian.

In its turn, Experian has accepted all the blame for what happened and offered aggrieved customers two-year credit monitoring. At the same time, both companies assure that the stolen information did not contain credit card numbers and users’ bank data.

Yet, it doesn’t matter for any of the victims who is to blame for the incident. They face a much more serious problem – how to protect themselves from ‘identity theft’. According to recent reports, the Trustev company’s employees found some data, that corresponded to that stolen from T-Mobile according to the type and the time of publication, being sold in the black market. Social security numbers were among them.

The use of such data for fraudulent purposes can result in serious problems for T-Mobile customers – from illegal loans to criminal offenses committed by their ‘doubles’, who took possession of their data.

To protect themselves from ‘identity theft’ those who suffered from hackers attack are offered to freeze access to the credit history in one of the three credit bureaus – Equifax, Experian, and the TransUnion. The essence of freezing principle is that no one can see your credit history without your permission. This prevents fake opening of the account or registration of the credit in their name.

At the same time, limited access to the credit history has some negative aspects for those who decide to use freezing:

  1. Cost. The establishment of such a limit is usually free, but the catch is that every time you have to gain access to credit information, you will need to pay the fee for the ban lifting. It is quite expensive to give $12 every time you get a new job, rent an apartment, or buy a mobile phone.
  2. If the fraudster has already managed to use the data, freezing is a waste of time and money. If the ‘identity theft’ has been already performed, and current accounts have been opened, all the victim can do is go to the police, notify financial institutions about the possibility of financial fraud of his/her account, use the technology of two-factor authentication to log in the accounts, change existing passwords, regularly check credit history and monitor the balance sheets.

You should always remember that it is easier to prevent a hacker attack than to fix all its negative consequences. If you are not sure about the safety of information stored by you or your partner, use the help of a third company specializing in providing data protection services.

One of the most effective protection methods is the introduction of two-factor authentication, which reduces the risk of data storage compromise. Complex approach and the joint efforts of the companies can significantly increase the level of personal data security and to protect your customers and partners from bitter disappointments.

Photo by —

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Author: Anna

If you have any questions about two-factor authentication and Protectimus products, ask Anna, and you will get an expert answer. She knows everything about one-time passwords, OTP tokens, 2FA applications, OATH algorithms, how two-factor authentication works, and what it protects against. Anna will explain the difference between TOTP, HOTP, and OCRA, help you choose a token for Azure MFA, and tell you how to set up two-factor authentication for Windows or Active Directory. Over the years with Protectimus, Anna has become an expert in cybersecurity and knows all about the Protectimus 2FA solution, so she will advise on any issue. Please, ask your questions in the comments.

Share This Post On


  1. Your weblog is showing a lot more interest and enthusiasm. Thank you so significantly.

    Post a Reply
    • Thank you for the warm feedback! I’m glad that you liked the article.

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This