T-Mobile customers affected by the Experian breach can sign up with CSID for identity protection services

If you are a T-Mobile customer whose data was caught up in the Experian breach, there is now an alternative to the two-year offer of Experian’s ProtectMyID service. T-Mobile has made arrangements with CSID as an alternative. You can read the details and sign up at https://www.csid.com/t-mobile/ . Thanks to Steve Ragan for sharing that info with me.

Although John Legere announced the availability of an alternate product earlier today on Twitter, the CSID alternative is being dealt with somewhat strangely on Experian’s breach web site, T-Mobile’s breach web site, and on Twitter. Experian’s breach info page simply says:

Those affected by this incident can obtain more information or enroll in these services by:

Did you catch it? If you go to the url in the first bullet, you can conveniently sign up online for ProtectMyID (Experian’s product), but you have to call them to enroll in the unnamed alternative product – even though there’s a web page and url they could have directed you to.

And watching Twitter today, it seems that at least some of those who called the number to ask about the “alternative identity protection product” reported being told that the unnamed product was not available. Hopefully, Experian’s sorted that out by now, but T-Mobile USA would not answer my question as to why neither Experian nor T-Mobile would name the alternative product on the breach FAQ web sites or on Twitter. Was some kind of deal cut? You’d think T-Mobile – owing a duty to its customers and applicants – would be more transparent in announcing the availability of another identity protection service as an alternative to Experian’s own product.

So why has T-Mobile studiously avoided naming CSID as an alternative offering, and why hasn’t Legere and/or T-Mobile USA provided direct links to the CSID sign-up in both their tweets and on T-Mobiles breach FAQ?

In any event, do keep in mind that neither of the available services will prevent identity theft. If you’re really concerned, you should follow the steps under your state’s law to place a security freeze with credit reporting agencies (Equifax has a helpful chart with state by state information). A less extreme measure is to place a fraud alert on your credit reports.

So far, both companies maintain that there is no evidence of misuse. Other than one company, Trustev, that reported seeing  data that could be from this incident up for sale on the dark web, I have not seen any other such reports.

The Good and the Bad

To my knowledge, T-Mobile is the first company to ever make arrangements for a non-Experian product in the wake of an Experian data breach. I give them credit for that, BUT: why was the Experian product in their contract initially instead of an alternative? And how many other businesses that contract with Experian have contracts that specify that Experian can provide (only) its own product (e.g., ProtectMyID) in the event of a breach?

As I complained to the FTC in 2012, Experian should not be allowed to offer only its own product to consumers in the event Experian has a data breach – particularly since those same consumers may continue with Experian after the “complimentary” period ends, thereby increasing Experian’s revenues as a result of the breach.

Can you hear me now, FTC?

About the author: Dissent