Telco T-Mobile has had confidential finance data about 15 million of its US customers stolen from a server hosted by information service Experian.

The profile information related to anyone who had ever applied for any T-Mobile service and includes data about credit checks on applicants and device financing.

“Obviously I am incredibly angry about this data breach,” said T-Mobile CEO John Legere in a direct letter to customers, “we will institute a thorough review of our relationship with Experian. Right now my top concern is assisting any and all consumers affected. I take our customer and prospective customer privacy very seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.”

The data stolen also included names, dates of birth, addresses and Social Security numbers. No payment card or banking information was acquired, the company said.

“We take privacy very seriously and we understand that this news is both stressful and frustrating. We sincerely apologize for the concern and stress that this event may cause,” said Craig Boundy, CEO of Experian North America. “That is why we’re taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation.”

Experian said it took immediate action upon finding the breach, securing the server, and initiating an investigation. It also notified US and international law enforcement.

As compensation, any customer that may have been affected has been offered two years of free credit monitoring and identity resolution services at Experian’s Protect My ID programme.

Security expert Kane Hardy VP EMEA at Hexis Cyber Solutions, suggested that Experian’s defences leave room for improvement. “More consideration needs to be given to security budgets to protect from within networks rather than perimeter-focused technology,” said Hardy, “advanced targeted attacks are capable of extracting information from multiple points in the network. Cyber hackers using automated tools can attack network perimeters relentlessly.”

“The Experian breach is the latest in a long line of large companies being targeted by cyber-criminals,” said Jason Hart, VP and CTO for Data Protection at Gemalto. “Being breached is no longer a question of if but when, so businesses need to move away from the traditional ‘Network perimeter centric’ strategy of focusing on breach prevention towards a ‘secure breach’ approach.

“As the risk of data theft continues to grow, companies must ensure that through a data-centric approach to security they protect their sensitive information. The combination of strong authentication in conjunction with encryption and key management solutions ensures that information in case of theft is unusable for the attacker.”