T-Mobile, America's fastest-growing mobile network, threatened to cancel its contract with the FTSE 100 company after the latest high-profile corporate hack. Shares in the credit monitoring group dropped more than 4 per cent on Friday after the attack was revealed, before closing down 3.8 per cent.
"I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian," said John Legere, the chief executive of T-Mobile US. He was "working as fast as possible to provide alternate protection options", he added.
The attack is the most recent in a rising number of breaches by hackers targeting companies holding personal details on millions of customers. Identity theft has become more lucrative than stealing credit card details, experts warn.
Experian is the world's largest credit-checking company and holds data on millions of businesses and consumers and conducts billions of credit checks a year.
Its web of electronic connections to companies of all sizes make it attractive to hackers. Defending the company and its customers from cyber attack has been a board-level priority in recent years.
The number of credit checks performed by Experian on behalf of T-Mobile has jumped over the past two years as the third-largest wireless network in the US has grown at a blistering pace, adding roughly 1m new customers each quarter and far outpacing its larger rivals.
A rising number of cyber attacks in the past two years has led to high-profile breaches of security at Sony, Staples, Target and Home Depot in the US. In the UK, Carphone Warehouse revealed in August that personal details of up to 2.4m of its customers may have been stolen.
Experian said it had taken immediate action to secure the server that had been breached, while initiating a comprehensive investigation and notifying US and international law enforcement.
Experian will notify consumers who may be affected, and offer two years of free credit monitoring and identity resolution services.
"We take privacy very seriously and we understand that this news is both stressful and frustrating," said Craig Boundy, chief executive of Experian North America.
More from the Financial Times:
- US attacks 'inaccurate' spying assertions
- Geeks deter safe surfing?
- Data rules weave a tangled global web
T-Mobile said "the hacker acquired the records of approximately 15m people, including new applicants requiring a credit check for service or device financing from September 1 2013 through September 16 2015".
These records included personal details such as name, address and date of birth as well as encrypted fields with Social Security numbers and identification numbers from driving licences or passports. Experian said this encryption may have been compromised.
Potential damage to its reputation was the biggest worry for Experian, analysts at Barclays said.
"When you type "Experian" into Google, the suggested first result is "Experian data breach", the next results are "Experian data breach 2014" and "Experian data breach 2013". If this isn't a wake up call to take action, I don't know what is," said Gavin Reid, vice-president of threat intelligence at Lancope, a cyber security firm.