T-Mobile continues to employ a company that has been the subject of not one, but two major attacks affecting T-Mobile customers.

T-Mobile employs a company named Experian to perform credit checks. It’s a popular company for this sort of thing — all of us have heard of FreeCreditReport.com, the Experian-owned service with the catchy commercials. Hackers recently broke into Experian and stole social security numbers, birth dates, addresses and drivers license numbers registered to 15 million people, including T-Mobile customers who were applying for credit checks.

T-Mobile is trying to make it right, and CEO John Legere recently published a letter, claiming he wants to be “direct, transparent and honest.” Legere isn’t telling you the full story.

See, this isn’t the first time T-Mobile has been involved in a data breach with Experian, which Legere fails to mention in his public letter. The first incident occurred in December 2013 when T-Mobile discovered, but didn’t publicly disclose information until a month later, that a breach had occurred with a supplier named Decisioning Solutions.

Guess who owns Decisioning Solutions? Experian. It bought Decisioning Solutions in April 2013.

You’d think T-Mobile might have cut off ties with Experian then, but it didn’t. Instead, it offered customers credit protection from ProtectMyID, an Experian-provided service. Yes, you read that correctly. It employed the very company that was breached to provide protection against identity and credit fraud.

Yikes! That alone seems like a mistake, but it gets worse.

Instead of walking away from Experian and actually protecting its customers, T-Mobile continued to employ the firm. And here we are — Experian has been hacked again and T-Mobile is playing the victim. Except, I can’t see where it’s trying to fix things. In fact, it’s still giving Experian business.

Guess what T-Mobile offers for customers affected by the breach? Yep, you guessed it, another two years of free credit monitoring from ProtectMyID, the Experian-provided service. Here’s Legere’s direct quote, attempting to comfort consumers:

“Anyone concerned that they may have been impacted by Experian’s data breach can sign up for two years of FREE credit monitoring and identity resolution services at www.protectmyID.com/securityincident,” Legere said in his apologetic blog post.

It doesn’t matter to me if T-Mobile and Experian say that the firm’s “consumer credit database was not accessed,” because the point here is that Experian has already proved, to me, through two strikes, that it’s not capable of properly protecting consumer data from hackers. For someone who says that he takes “customer and prospective customer privacy VERY seriously,” (emphasis Legere’s) it seems odd to me that he’s putting the safety of their identities in the hands of a firm that was just hacked.

It’s obscene. If someone broke into your parking garage (Experian) and stole your car (your personal data) would you ever park there again? Of course not. You wouldn’t trust the security guards, right? Unfortunately, T-Mobile is basically putting your car right back in that garage and hiring the same security guards (ProtectMyID) to guard it. Yes, as Om Malik with The New Yorker notes, Experian is offering other options, but they’re not advertised directly by T-Mobile.

It is no wonder to me, then, that I read a report on Bloomberg today that reveals at least five class-action lawsuits have been filed against T-Mobile and Experian. A sixth, Bloomberg said, is only against Experian.

If you care about your private data, and I think we all do, then we shouldn’t let firms buddy up with one another time and time again, mistake after mistake. As I said in January 2014 on Twitter: “sad loop.” And it’s one that needs to stop.


This post may contain affiliate links. See our disclosure policy for more details.