T-Mobile Data Breach

Details On The First T-Mobile Data Breach

The first major security incident was reported in the third week of August 2021. A hacker broke into T-Mobile’s network and accessed the databases that held all manner of user data, including:

• 850,000 T-Mobile prepaid customer names, phone numbers, and PINs.
• 7.8 million T-Mobile postpaid customer names, dates of birth, SSNs, driver’s license or photo ID information, phone numbers, IMEI and IMSI information, and identifying handset details.
• 5.3 million additional postpaid customer names, addresses, dates of birth, phone numbers, and IMEIs and IMSIs.
• 40 million other customers and prospective customers' first and last names, dates of birth, SSNs, and driver’s license or ID information.
• 667,000 additional customer and prospective customer names, phone numbers, addresses, and dates of birth.

Some of those groups overlap slightly, but not by much. In total, approximately 53 million customers were impacted in one way or another. Tens of millions had been opened up to fraud, identity theft, and countless scams. And a little under eight million had just about every possible detail leaked, making their lives a living hell if they were targeted in the future.

Class action lawsuits were spawned. Customer support almost certainly had some sleepless, depressing days ahead of them.

The full statement from the company itself on the August T-Mobile data breach can be found here. The after-incident statement a couple of weeks later said:

‘...we now know how this bad actor illegally gained entry to our servers and we have closed those access points. We are confident that there is no ongoing risk to customer data from this breach.’ Mike Sievert - CEO of T-Mobile

And that was likely true. At least in regards to breach number one.

Details On The Second T-Mobile Data Breach

But the problem is that security failures of this magnitude have ripples. It is rare that a hacker ‘gets lucky’. Far more likely, there are endemic security issues with the company in question, and a little bit more poking will find additional flaws. And that’s exactly what happened in this case.

T-Mobile reported that the number of customers impacted by the second hack was ‘a very small number’ and didn’t go into details. Lots of numbers are very small when compared to 53 million, of course. To this day we don’t know how many people were impacted. This was the sixth successful T-Mobile hack since 2018 (that we know about).

What we do know is that a number of customers were victims of unauthorized SIM swaps. Additionally, a number of customers had their call logs, phone details, and network numbers leaked. A small cross-section of customers had both of these things happen.

SIM swaps are a common hack to go for because phones are often used in two-factor authentication (2FA). Any evidence of passwords can then be used on various services on the net that use phones for 2FA and confirm the ‘authorized’ changes.

Common or not, another T-Mobile data breach looked quite bad, particularly since it happened just after Christmas when millions of people had just been gifted new phones, one of the most popular gifts on the planet.

What Do Victims Need To Do?

Hopefully, victims of the breach earlier in 2021 have already taken action, or they might be in some real hot water by now.

For victims of the latest breach, change passwords on every site that uses two-factor authentication (and never use the same password twice). If you have issues remembering lots of different passwords, consider using a secure password manager or a privacy tool.

Change all pins on all phones in the household. Double-check all charges made to the phone account and any associated credit card or bank account (credit card information was not directly involved in the hack, but if 2FA was compromised and your card or bank account was linked…). And contact T-Mobile, as they have offered credit rating protection, identity monitoring services, and credit monitoring service plans to past victims. They’ll give you additional steps to follow.

How The T-Mobile Data Breach Exposes Bad Industry Practices

Data hygiene might seem like a strange phrase, but it is incredibly important in this case.

You may notice that data of both prospective and former customers was included in the August hack. Over 40 million, in fact. After no longer being under contract, most customers should only remain on the books for a reasonable amount of time (a short period to make sure cancellation or failure to carry through with a new account wasn’t in error). Then the personal information of those former clients needs to be deleted.

This is one of many components of data hygiene. Keeping records current and pruning old client information is supposed to be a standard. But in some industries, it seems to be the exception rather than the rule.

It’s particularly shocking in the mobile phone vertical for a couple of reasons. One, they often act as creditors, which means they need to be held to a very high standard in terms of data privacy. And two, they’re allowed to take and store the most common forms of ID in the world, including driver’s license information. These are the things that can be used to apply for even more types of ID. They’re absolutely golden on the secondary market.

So making sure that there’s a script to scrub old client data, and verifying that the script is functioning properly, should be a no-brainer in the industry. You’re a creditor, at the crossroads of a communication device that people rely on for authentication purposes, holding on to the contents of sensitive identifying documents.

Given the successes we’ve seen against these companies and the kind of information that gets stolen, the failure to prune old data and practice sane data hygiene is shocking. And shockingly common.

Going Forward

The only way to change these practices is tougher legislation, bigger penalties for failure, and higher payouts on class action lawsuits. Hackers aren’t going to stop hacking because their targets are too easy or too valuable. Quite the opposite.

T-Mobile nets billions of dollars a year. If they or any other carrier continue to screw around with customers’ personal data, they need to be hit right in the pocketbook. It’s the only language they understand.