Experian blasted after massive data breach

A massive data breach at credit application processing firm Experian has leaked sensitive personal data for at least 15 million customers.

John Legere, chief executive of T-Mobile. Source: supplied

Experian is the world's largest credit checking agency and has international operations, including in Australia. 

The breach earned the company an angry spray from US boss of German telco and Experian customer T-Mobile, John Legere.

"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected," Legere wrote.

"I take our customer and prospective customer privacy very seriously. This is no small issue for us."

Legere said T-Mobile’s systems and network were not affected and no customer payment card numbers or bank account information was taken. 

The data stolen from Experian included credit checks for service or device financing from September 1, 2013 to September 16, 2015, Experian North America said in a statement.

Sensitive data inluding names, dates of birth, addresses and encrypted fields with Social Security number and identification details such as driver's license numbers, as well as additional information used in T-Mobile's own credit assessment, were also captured.

Federal and international law enforcement agencies were notified and an investigation was ongoing, Experian said.

Its US and Canada chief executive Craig Boundy apologised for the stress and concern the data theft may cause.

The credit checking agency is offering two years' worth of credit monitoring and identity protection services through firm ProtectMyID. 

Boundy also warned consumers that phishing attempts may follow the data breach, and said that neither Experian nor T-Mobile would phone or text affected individuals to request personal information in connection with the incident.

He did not comment who was suspected to be behind the large-scale information breach, nor how the intrusion took place, and said only that a network server was accessed by an unauthorised party.