This post has been updated. It was originally published on August 17, 2021.
On Sunday, Motherboard reported that hackers accessed the personal information of over 100 million T-Mobile customers and were selling them on an underground forum.
In the post on that forum, the seller offered a subset of the data containing 30 million social security numbers and driver licenses for a price of 6 bitcoin, or about $270,000. T-Mobile confirmed on Monday that its servers were indeed hacked but did not provide any further details on the number of accounts affected or the type of information leaked in the hack.
“We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved,” T-Mobile said in a statement. “We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed. This investigation will take some time but we are working with the highest degree of urgency.”
T-Mobile said in the same statement that it will “proactively” reach out to customers once it completes the assessment.
In a new statement on Tuesday, T-Mobile said it determined in a preliminary analysis that the account information of approximately 7.8 million current postpaid customers and 40 million former or prospective customers were affected. Data accessed included first and last names, date of birth, social security number, driver’s license or other identification information but did not include financial information such as credit or debit payment details.
Additionally, T-Mobile confirmed that names, phone numbers, and account PINs of around 850,000 active prepaid customer were also exposed in the hack. “We have already proactively reset ALL of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away,” the company said.
T-Mobile gave another update on Friday that they found 667,000 more former customers who had their names, phone numbers, addresses and dates of birth exposed, but no identification information or social security numbers were accessed for these accounts.
If what Motherboard reported holds true, some experts are concerned that it could put customers at risk for personalized scams or account takeovers. “This is ripe for using the phone numbers and names to send out SMS-based phishing messages that are crafted in a way that’s a little bit more believable,” Crane Hassold, director of threat intelligence at Abnormal Security, told Wired.
Data breaches have been burgeoning in recent years. Researchers at cybersecurity firm F5 tracked 117 credential data breaches in 2020 alone––an all-time high.
The cybercriminal ecosystem is growing more complex, specialized, and at times collaborative through underground networks, a reality that can create significant security challenges for companies.
Part of the problem is that companies store a plethora of sensitive customer data. “Clearly, every company asking for so much personal information from consumers is not a good model,” Shuman Ghosemajumder, global head of artificial intelligence at F5, says in an email. “Both companies and consumers should be aware of the need to minimize the amount of personal data we all give to companies.”
“The fact that T-Mobile, along with thousands of other companies, are storing driver’s license numbers, addresses, and social security numbers means that any of these companies being breached irrevocably puts difficult-to-change or even unchangeable identity information in the hands of cybercriminals,” he adds. “That same information can then be used at other companies to commit identity theft and other crimes.”
Ghosemajumder points out that these successive data breaches are a type of red flag that we need more robust societal mechanisms for securely and privately verifying consumers’ identities.
T-Mobile said that in response to the new findings, it will be offering two years of free identity protection services and account takeover protection features to customers at risk of a cyberattack. Meanwhile, experts advise that consumers stay wary of emails, calls, and messages from people they don’t know, and regularly check their credit card activity for any unknown transactions.
This post has been updated to reflect new information from T-Mobile released on August 20, 2021.