Credit reporting agency Experian (EXPGY) said Thursday that a data breach at one of its business units may have compromised the personal records of about 15 million people including customers of T-Mobile (TMUS).
A hacker or hackers appear to have obtained access to an Experian server—one that is not a part of its consumer credit bureau, the company said—that hosted the personal information of people who applied for the carrier’s services between Sept. 1 2013, and Sept. 16, 2015. The information accessed included names, addresses, Social Security numbers, dates of birth, driver’s license numbers, and passport IDs, Experian said. It added that “no payment card or banking information was obtained.”
Experian said it discovered the intrusion on Sept. 15.
“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” said T-Mobile CEO John Legere in a letter to customers posted on the company’s website. “This is no small issue for us.”
Legere added that the breach did not affect T-Mobile’s own network. He also said that his company will offer two years of free credit monitoring to victims of the attack—ironically, through Experian, which markets the services with the tagline : “A name you can trust.”
Some commenters pointed out the irony on Twitter.
Credit monitoring from same morons who lost the data. It's like crazy time. https://t.co/BnkfomL40l
— OM (@om) October 1, 2015
Experian, based in Costa Mesa, Calif., is one of the top credit reporting agencies alongside Equifax (EFX) and TransUnion. According to federal credit laws, companies like Experian must maintain historical records of applicant data for at least 25 months.
A couple of years ago, the independent investigative journalist Brian Krebs called out Experian for selling data to an identity theft service.
Experian gave no hint about who may have accessed its customer data, other than to say it was “an unauthorized party.”
“We do not know who the criminals were behind this incident,” the company said. It added that “there is no evidence that the data has been used inappropriately,” and that it is working with law enforcement on the matter.
Experian said the data had been encrypted. But it added that it may have been compromised.
For more on T-Mobile, watch this video below.
Subscribe to Data Sheet, Fortune’s daily business-tech newsletter.
