A server containing sensitive consumer information at Experian has been breached, with the records of as many as 15 million T-Mobile customers stolen, the companies said Thursday.
There is no evidence that the stolen information has been used for fraud, the firms said.
The news came at the same time as the American Bankers Association separately said that email addresses and passwords used to make purchases or register for events through its online shopping cart had been compromised. At least 6,400 users' records had been posted online, the trade group said, though there was no evidence that credit card or other personal financial information had been accessed.
The breaches underscore the escalating cyber threats facing the financial services industry, which businesses and consumers entrust to protect valuable private information.
In the incident at Experian, the affected customers had applied for device credit or credit checks from T-Mobile from September 2013 through mid-September of this year. The breach was "an isolated incident" limited to one Experian client, T-Mobile, at an Experian unit called Decision Analytics, and did not affect the information services giant's consumer credit bureau business, the company said.
"Records containing a name, address, Social Security number, date of birth, identification number (typically a driver's license, military ID, or passport number) and additional information used in T- Mobile's own credit assessment were accessed," Experian said in a frequently asked questions page on its website. "No payment card or banking information was obtained."
In a letter to T-Mobile customers, the company's CEO John J. Legere said the most sensitive of the information, like Social Security numbers, had been encrypted, but "Experian has determined that this encryption may have been compromised."
"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian," Legere wrote, though at the moment his priority is helping affected customers. "I take our customer and prospective customer privacy VERY seriously."
A spokeswoman for Experian said the encryption issue was "still under investigation," but that early assessments indicate its keys could indeed have been compromised.
Experian said that when it discovered the breach, it "took immediate action, including securing the server, initiating a comprehensive investigation, and notifying U.S. and international law enforcement." It is notifying affected customers and offering them two years' free credit monitoring and identity resolution services.
Similarly, the ABA said in an email to members that it is "working with a cybersecurity forensics company to identify the origin and full extent of this breach." In the meantime, the trade group has reset user passwords and is encouraging members to log in and create new ones. The ABA did not immediately respond to an email seeking further comment.
Experian has had data leak issues before. Earlier this year, the company was hit with a class-action lawsuit for allegedly selling consumer records containing personally identifiable information to an identity thief. The data sales in question were conducted by a consumer data aggregator Experian acquired called Court Ventures.