Experian faces class actions following T-Mobile customer data breach

Credit card data firm Experian said that it has received an unnamed number of class actions, presumably lawsuits, since it disclosed last month the personal information of around 15 million people who applied for T-Mobile US' (NYSE:TMUS) services had been hacked. Experian also said it is booking a $20 million charge related to the incident.

"Experian has received a number of class actions in respect of the data breach and is currently working with regulators and government bodies as part of their investigations," Experian said in reporting its earnings for the six months ending Sept. 30. Experian said it is currently not possible "to predict the scope and effect on the Group of these various regulatory and government investigations and legal actions, including their timing and scale. In the event of unfavorable outcomes, the Group may benefit from applicable insurance recoveries."

The data that was hacked in the T-Mobile case included names, dates of birth, addresses and Social Security numbers and/or an alternative form of ID like a driver's license number, as well as additional information used in T-Mobile's own credit assessment. No payment card or banking information was acquired, the companies have said.

A T-Mobile spokesman told FierceWireless the carrier has not received any class action suits related to the breach. 

Experian noted that it has notified the individuals who may have been affected and is offering free credit monitoring and identity theft resolution services, and that it has notified the relevant government agencies.

"Our investigation to date reveals this was an isolated incident which affected a single client in our Decision Analytics business in North America and notably did not involve our U.S. consumer credit bureau, nor did it include payment information or bank details," Experian said in a statement.

"The consumers affected by this incident have been our first priority, and we have notified all of them and given them guidance on how they can protect themselves," Experian added. "We are also providing them with two years of free credit monitoring and identity protection services. We have been working relentlessly to resolve the issue and put additional measures in place to respond to this, including working with the U.S. and international law enforcement agencies investigating this criminal incident. Data security has always been a key concern for us, and following this incident we will be reviewing measures to further improve and strengthen our security systems and processes."

After the breach there were reports that the customer data was being sold on the dark Web, according to an online security firm. However, the T-Mobile spokesman told FierceWireless that the carrier does not have any indication at this point that any customer data involved in the breach has been sold or is being sold online.

Last month Sen. Sherrod Brown (D-Ohio) demanded that Experian provide answers on how it was handling the data breach "Experian has files on more than 220 million people. Protection of this information is of the utmost importance, especially because the scope of the information is vast and virtually no consumer can apply for credit without entering your system," Brown wrote in a letter to Experian CEO Brian Cassin. Democratic Sens. Richard Blumenthal (Conn.), Bill Nelson (Fla.) and Brian Schatz (Hawaii) also demanded answers from Experian. 

T-Mobile CEO John Legere said on Twitter last month that he "confirmed Experian is now offering an alternate ID protection option. Enroll by contacting them." Legere then linked to an Experian document. Customers can call Experian to enroll in the ProtectMyID service "or the alternative identity protection product," Experian said. That alternative service is a Transunion product called CSID, according to the T-Mobile spokesman. 

For more:
- see this Experian release (PDF)
- see this Reuters article 
- see this FT article (sub. req.)

Related articles:
Report: T-Mobile customer data from Experian breach may already be up for sale
T-Mobile data breach: Hacker steals names, birthdates, Social Security numbers and more from 15M people
Apple removes apps affected by 'XcodeGhost' malware after App Store is hacked
Sprint says its network not at fault in hacking demonstration of Chrysler vehicles
AT&T confirms data breach as hackers hunted for codes to unlock phones

Article udpated Nov. 10 at 1:20 p.m. ET with information from T-Mobile