Personal info of 48 million-plus consumers exposed in T-Mobile breach

A major U.S. wireless provider with more than 3,200 retail stores is acknowledging a significant cyberattack that revealed some sensitive consumer information.

In an online press release, T-Mobile said it has been “urgently investigating” a “highly sophisticated” cyberattack against its systems. 

While its investigation is still underway, T-Mobile is confirming that the data stolen from its systems encompassed personal information, including first and last names, date of birth, Social Security number, and driver’s license/ID information for a subset of current and former post-pay customers and prospective T-Mobile customers.

T-Mobile says it has no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information. The company also says no phone numbers, account numbers, PINs, or passwords were compromised in any breached files of post-pay customers or prospective customers.

While its investigation is still underway, T-Mobile is confirming that the data stolen from its systems encompassed personal information, including first and last names, date of birth, Social Security number, and driver’s license/ID information for a subset of current and former post-pay customers and prospective T-Mobile customers.

Preliminary analysis indicates approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. 

In addition, T-Mobile says approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed. The company has already proactively reset all of the PINs on these accounts, and says it will be notifying accordingly right away. No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed.

Late in the week of Aug. 9, the company was informed of claims made in an underground online forum that a bad actor had compromised its systems. According to T-Mobile, it immediately began investigating the claims and brought in cybersecurity experts to help assess the situation. As a result, the company located and closed the access point it believes the hackers used for illegal entry into its servers.

On Tuesday, Aug. 17, the company verified that a subset of T-Mobile data had been accessed by unauthorized individuals. It also began coordination with law enforcement as its forensic investigation continued.

As a result, T-Mobile says it will shortly contact affected consumers to outline that T-Mobile is immediately offering two years of free identity protection services with McAfee’s ID Theft Protection Service. The company is also recommending all T-Mobile postpaid customers proactively change their PIN, despite the fact that the company has no knowledge that any postpaid account PINs were compromised.

“We take our customers’ protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack,” T-Mobile said in the press release. “While our investigation is ongoing, we wanted to share these initial findings even as we may learn additional facts through our investigation that cause the details above to change or evolve.”

A recent study from Verizon indicates that 84% of retail threat actors in recorded breaches were external, 17% were internal, 2% consisted of multiple external/internal actors, and 1% were retail partners. Unsurprisingly, 99% of retail breaches recorded by Verizon were financially motivated, while espionage drove the remaining 1%.

Security expert Uriel Maimon, senior director of emerging technologies at cybersecurity company Perimeter X, told Chain Store Age that once breached information is “out in the wild,” it can be used and repurposed for multiple uses for years to come.
 
“Most states in the U.S. require companies that know they have been breached to inform the victims,” said Maimon. “This means that if T-Mobile does indeed know there has been a disclosure of personal information, then they cannot remain indefinitely silent and still remain in compliance with the law. 

“This underscores an issue with security today,” Maimon continued. “Even if the reason for the data leak is not a failure of security controls, but an account takeover that occurs as the result of a breach, the reporting obligation and reputational damage still falls on the business. This means that a major breach like this could have knock-on effects not only for the millions of victims, but for hundreds or thousands of businesses where this data is going to be used for creation of synthetic identities or identity theft and account takeover.”