It seems like we can’t go a week without hearing about another massive security breach at a mega-corporation. This week’s shocker comes courtesy of T-Mobile, at least according to one self-reported hacker claiming to sell the company’s customer data. T-Mobile says it’s “investigating” the possible theft of data from over 100 million people. If true, it would be the fourth notable data breach from T-Mobile in the last four years.
Vice has reportedly spoken to said hacker, who told the media outlet that the data includes the usual names, phone numbers, and IMEI data, but also includes more valuable personal information. These include drivers’ license info, social security numbers, and personal addresses. Assuming the claim is genuine, it’s a treasure trove of tools for identity theft, being sold on an underground forum for a pittance at 6 untraceable bitcoin (a little under $280,000 USD, at today’s prices).
The hacker claims that T-Mobile is aware of the theft, as they no longer have access to the information, though it’s reportedly saved in a local file. T-Mobile said that it’s investigating the claims that have been made, but has not verified them as of yet.
Customers would certainly be justified being upset with T-Mobile if their personal information was stolen, especially since opening a post-paid phone line or buying a phone on a payment plan requires the same kind of credit check as a car loan. It would be an embarrassing addition to a string of breaches for the company, most recently in December and March of last year. T-Mobile also had breaches in 2017 and 2018. This is becoming a running theme.
But in today’s world, it’s not so much if your information will be leaked, but when. Trusting corporations to be responsible stewards of your data will inevitably end in disappointment, and the only real alternative is vigilance in watching your own accounts and information for anomalies.
T-Mobile releases investigation findings
Two days after the company initially confirmed the attack, T-Mobile has published the findings of its investigation. According to its press release, 7.8 million current T-Mobile postpaid customers and “just over 40 million” previous or prospective customers are part of the leak, with the stolen data including names, addresses, birthdates, driver’s license info, and social security numbers. T-Mobile says that phone numbers, account numbers, credit card numbers, passwords, and PINs for those customers were not compromised in the hack.
But for the least-lucky victims, that’s not the case. The company went on to say that 850,000 active T-Mo prepaid customers were more fully compromised, with names, phone numbers, and PINs captured. T-Mobile has automatically reset all of these PINs, and notes that the hack didn’t include Metro, Sprint, or Boost accounts were compromised.
T-Mobile says that it’ll send alerts to affected individuals shortly, along with the somewhat rote offer of free service with McAfee ID Theft Protection. (Why is that always the go-to after identity info has been stolen?) T-Mobile also recommends that customers change their PINs, even if they aren’t part of the most seriously affected group.
Well, it’s been another couple days, and T-Mobile is back with a new update on its investigation into the breach. And surprise, surprise — it’s more bad news.
Remember how the carrier was telling us earlier that the 7.8 million compromised postpaid accounts didn’t have their phone numbers exposed? Yeah, not so much. Now T-Mobile believes that phone numbers and IMEI data were also involved.
There also appears to be a whole lot more subscribers involved than previously reported. T-Mobile found another 667,000 previous customers and 5.3 million current users whose personal information was exposed (although at least not their driver’s license numbers and socials).
And these are just the accounts where personal info was accessed. Apparently there were also a bunch where hackers got phone numbers and IMEI data but no personal info — and T-Mobile is being very cagey about not sharing even a ballpark figure of how many people are affected there.
Again, the carrier warns everyone to reset PINs and passwords, and waves around its offer of free identity protection services, but oof — this already bad situation is only getting worse and worse.
We’re now well over a week removed from the initial breach, and T-Mobile is doing a bit of reflection on what went wrong and how it might be avoided going forward.
Hacker John Binns stepped up to take credit for the attack, calling the carrier’s security practices “awful.” Binns has reportedly been scanning T-Mobile’s systems for vulnerabilities since last summer, ultimately gaining access to a data center in Washington state.
As for T-Mobile, the carrier relates that it’s “disappointed and frustrated” with this whole saga, and reiterates the identity-protection services it’s making available for affected users. It confirms that by this point it’s reached out to notify everyone whose data it detected as being involved in the breach. And if you hadn’t heard anything but were still feeling a little nervous, T-Mobile has taken the additional step of actively placing a notice on its login portal for unaffected users, confirming if your info wasn’t involved in the hack.
Beyond that, there are plenty of assurances that it’s taking all this quite seriously, and has contracted an “industry-leading” cybersecurity firm to keep an eye on things, but one way or another, incidents like this seem to keep right on happening. Who’s taking bets on how long it’s going to be until the next one?