T-Mobile Confirms Data Breach, Unclear If Personal Customer Data Was Accessed

[MacRumors]

T-Mobile today confirmed that some of its data had been accessed without authorization in a breach that may impact more than 100 million of its users.

Over the weekend, T-Mobile began investigating a forum post that offered data from more than 100 million people. T-Mobile was not mentioned in that post, but the person selling the data told Motherboard that it had come from T-Mobile's servers, thus leading T-Mobile to look into it. The hacker who spoke to Motherboard claimed that several T-Mobile servers had been breached.

T-Mobile has now confirmed that there was indeed unauthorized access to some customer data, but T-Mobile in a statement says it does not yet know if personal customer data has been accessed.

We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed. We take the protection of our customers very seriously and we are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement.

We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed. This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.

We understand that customers will have questions and concerns, and resolving those is critically important to us. Once we have a more complete and verified understanding of what occurred, we will proactively communicate with our customers and other stakeholders.

According to the original forum post, the data for sale includes social security numbers, phone numbers, names, physical addresses, IMEI numbers, and driver licenses information. Motherboard said that it was provided with some samples of data and was able to confirm that they contained accurate information on T-Mobile customers.

T-Mobile says that the entry point used to gain access to the data has been closed, and it is now conducting a "deep technical review" of the situation to determine the nature of the data that was obtained. The company will not be able to confirm the reported number of records affected until the internal investigation is complete, and it plans to proactively communicate with customers when the information is available.

Article Link: T-Mobile Confirms Data Breach, Unclear If Personal Customer Data Was Accessed

 

[ouimetnick]

🤣 I switched from AT&T to T-Mobile this past May…. 😬🙃

 

[LawJolla]

I own a small car dealership and I encrypt all of my customer's data at rest. I could hand my database to a hacker with next to nothing compromised. You'd need to dump my database and steal the secret in memory key.

In 2021 these billion dollar companies need to be held accountable. Unacceptable.

 

[justperry]

T-Mobile USA only I hope.🤔

 

[lip008]

Anytime I've had to go into Sprint or T-Mobile they required a scan of my driver's license. It's been a pita to access the account or go into the store for a while now all in the name of security! Guess that was all for nothing! Status quo....we'll get 18 months of credit monitoring and $8 from the lawsuit outcome in 2025...

 

[Wildkraut]

With iOS running as Server this wouldn’t have happened.

/s

 

[TheDailyApple]

This is why you don’t give out your ssn even if a company asks for it.

 

[Wags]

Companies should be fined heavily for stuff like this. Many don’t invest enough resources to be responsible but not enough public outrage. Will be no news by tomorrow.

 

[velocityg4]

Can't recall if I had to give my ID and SSN or not. I brought my own phones, paid for the sim cards and got a prepaid plan. I'm guessing they never got that info.

 

[TheYayAreaLiving 🎗️]

Ouch! This isn't good! Hopefully AT&T and Verizon's is not next!

 

[Graphikos]

I own a small car dealership and I encrypt all of my customer's data at rest. I could hand my database to a hacker with next to nothing compromised. You'd need to dump my database and steal the secret in memory key.

In 2021 these companies need to be held accountable. Unacceptable.

That all sounds nice in theory but as we know nothing is ever 100% secure. For a small business, you can more easily lock things down and restrict access. When you talk about large corporations with so many different facets and functions it becomes much harder to grant access to those who need it, trust everyone that is involved, and keep hardware and software secure. There are just so many more variables that you really can't compare.

 

[4jasontv]

When people accidentally allow distribution it's $22,500 per incident, but when it happens to a company they hold no liability but promise to "investigate the validity" of the claim.

Sue them into the dirt, replace all the executives and sell their assets to anyone who hasn't worked for Verizon or ATT in the past five years.

 

[gaximus]

I own a small car dealership and I encrypt all of my customer's data at rest. I could hand my database to a hacker with next to nothing compromised. You'd need to dump my database and steal the secret in memory key.

In 2021 these billion dollar companies need to be held accountable. Unacceptable.

That could be what happened. They've only confirmed that the data was accessed, not that it was decrypted(assuming that it is all encrypted, not that I think it was.).

 

[SFjohn]

That’s totally unacceptable in this day and age. As a T-mobile customer for years now, this is really bad. Social Security numbers, phone numbers, names, physical addresses, IMEI numbers, and driver licenses information! What else? Mother’s Maiden Name? T-Mobile needs to pay for a lifetime of fraud monitoring on every account stolen!

 

[velocityg4]

Companies should be fined heavily for stuff like this. Many don’t invest enough resources to be responsible but not enough public outrage. Will be no news by tomorrow.

At least for the companies who don't seem willing to beef up IT security enough. This is at least the fifth breach for T-Mobile since 2018.


From 2020

Second Data Breach in 2020 for T-Mobile Exposed Customer and Call-Related Information of 200,000 Subscribers - CPO Magazine

T-Mobile disclosed a second data breach in 2020 in which hackers illegally accessed call-related and customer proprietary network information for about 200,000 subscribers.

www.cpomagazine.com

 

[tigres]

2nd time for t-mobile. get your **** together.

 

[sw1tcher]

Companies should be fined heavily for stuff like this. Many don’t invest enough resources to be responsible but not enough public outrage. Will be no news by tomorrow.

The cost from a data breach affects their bottom line less than the annual cost of security

 

[4jasontv]

The cost from a data breach affects their bottom line less than the annual cost of security

Bill the executives and anyone holding more than 10% of outstanding shares. Not the company.

 

[Realityck]

I own a small car dealership and I encrypt all of my customer's data at rest. I could hand my database to a hacker with next to nothing compromised. You'd need to dump my database and steal the secret in memory key.

In 2021 these billion dollar companies need to be held accountable. Unacceptable.

Guess the CIO will be leaving soon. Seriously you should have this type of information walled off on a secure intranet server array using encryption.

 

[sw1tcher]

Can't recall if I had to give my ID and SSN or not. I brought my own phones, paid for the sim cards and got a prepaid plan. I'm guessing they never got that info.

Pre-paid plans don't require SSN. You don't even need to provide your real name or address.

That's why they're popular with people who have poor or no credit and criminals (for burner phones).

 

[DeepIn2U]

T-Mobile USA only I hope.🤔

WooHooo


it’s the return of Captain Crunch = free calls for everybody in TMobile USA!

 

[DeepIn2U]

Pre-paid plans don't require SSN. You don't even need to provide your real name or address.

That's why they're popular with people who have poor or no credit and criminals (for burner phones).

FYI I haven’t been poor I haven’t poor credit doesn’t affect you getting a prepaid phone plan since it never hits your cr3dit report so real addresses can be given without any worry.

 

[dcingie]

Still waiting on my settlement check from the yahoo and Experian data breach and the iPhone slow down class action!

 

[velocityg4]

Pre-paid plans don't require SSN. You don't even need to provide your real name or address.

That's why they're popular with people who have poor or no credit and criminals (for burner phones).

It's also popular with people who realized postpaid plans and phones on credit are overpriced.

 

[coachgq]

I own a small car dealership and I encrypt all of my customer's data at rest. I could hand my database to a hacker with next to nothing compromised. You'd need to dump my database and steal the secret in memory key.

In 2021 these billion dollar companies need to be held accountable. Unacceptable.

And yet one of the 3 largest cellular provideers in America can‘t do something like this to protect its users. Dumb.