No, the Experian hack did NOT go on for over two years: it happened last month
In reading a lot of the coverage of Experian’s breach affecting those who applied for T-Mobile USA accounts, I noticed that some journalists and others seemed to interpret Experian’s statement as indicating that the data were hacked/accessed over a two-year period (from September 2013 to September 2015). As I noted to a commenter earlier today, I had read Experian’s statement (and T-Mobile’s statement) as meaning that the hacked database held data from those who applied for T-Mobile accounts between September 2013 until the breach was discovered, but that the hack itself occurred during a relatively brief and recent period.
My impression was formed, in part, because in their submission to the California Attorney General’s Office, Experian reported that the breach occurred on September 14, 2015, and was discovered on September 15, 2015.
So I emailed Experian earlier today, told them my understanding of the timeframe, and asked them to clarify what the time frame of the hack was. Spokesperson Susan Henson responded:
Regarding the timing of when the intrusion happened, yes, much of the
reporting on that topic has been incorrect. The breach was not undiscovered
for two years. Our investigation shows the activity took place over a number
of days in mid-September, not two years as was reported by some media outlets. In fact the intrusion was discovered, investigated and secured in a matter of days, and our notice to consumers and standing up a support call center and identity theft protection service happened yesterday, Oct. 1. The notice to state AG’s happened today.
Where I think the confusion happened is that the data acquired was for some
T-Mobile USA customers who applied for services between Sept., 2013 and Sept. 16, 2015.
You got the timing of the actual intrusion correct and on Sept. 15 we
discovered the unauthorized access.
So there you have it: the breach occurred last month and was discovered within days.