T-Mobile Data Breach Included Personal Information of Almost 50 Million Customers

[MacRumors]

T-Mobile has issued a statement with further details about a cyberattack that the company confirmed earlier this week, confirming that the data breach included the personal information of almost 50 million current, former, and prospective customers.

Late last week, T-Mobile confirmed that a forum post that purported to offer data from more than 100 million people was the result of a company data breach. At that time, it was not known if personal customer data had been accessed, but T-Mobile has now confirmed that the stolen data included personal information, such as customer names, dates of birth, SSN, and identification such as driver's licenses. There is as yet no indication that the data contained information about customer financial or payment information.

Currently, the information of 7.8 million current T-Mobile customers is believed to have been stolen, as well as information of over 40 million former or prospective customers. The company has been able to confirm that approximately 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were also exposed, leading the company to proactively reset all of these PINs.

Customers are due to be contacted shortly with the news that T-Mobile will immediately offer two years of free identity protection services with McAfee's ID Theft Protection Service, implement an additional step to protect mobile accounts with Account Takeover Protection, and publish a new web page for information and solutions for customers to further protect themselves. Customers will also be encouraged to change their account's PIN. T-Mobile's investigation into the data breach is ongoing.

Article Link: T-Mobile Data Breach Included Personal Information of Almost 50 Million Customers

 

[brian3uk]

How is this possible!? Why is this info not encrypted?!

 

[TheYayAreaLiving 🎗️]

Wow! This sucks. Not acceptable. Over 50,000 people. That s too much

 

[Bobout]

I’m with T-Mobile and I think this is like the third time this has happen..someone needs to serious fix this issue

 

[wi1dstar]

Can someone explain to me why they are keeping 40 million former customer’s and prospective customer’s information? Especially SSNs?

 

[jent]

So is the data breach "only" 50,000, or is it any of the higher numbers listed in the article? It's not very clear to me.

 

[Bobout]

Can someone explain to me why they are keeping 40 million former customer’s and prospective customer’s information? Especially SSNs?

out of all this thats the most troubling part, do all phone company’s practice this ?? Could be a huge issue …

 

[AllergyDoc]

50,000 or 40 million?

 

[Bobout]

I just read another article saying the hacker got 100 million accounts info and him or her will be selling the info for 6 Bitcoins.

 

[JosephAW]

Still wondering how this effects sprint users

 

[scheinderrob]

if you live in the united states, your information has almost certainly been all released, multiple times. especially after the equifax hack.

 

[The Cappy]

Can someone explain to me why they are keeping 40 million former customer’s and prospective customer’s information? Especially SSNs?

Customer data including SSNs was accessed and prospective customer data was accessed. That doesn’t mean prospective customer data included SSNs. Former customer data though… quite possibly they kept the data and just unchecked the box marked “current subscriber.”

 

[senttoschool]

FFS, why didn't they encrypt all that data? What kind of security amateurs do they employ?

 

[rpt777]

Seems to me that once they have checked you credit and you have an account, there is no reason form them to keep your personal data on file. They should just assign you a customer number, which would be your phone number, and then let you create a password and that is the only way in to your account.

 

[MikeVarney]

FFS, why didn't they encrypt all that data? What kind of security amateurs do they employ?

It very well could have been encrypted. However one inappropriately developed and subsequently stolen piece of source code would get right around that encryption.

Encryption is only good for security if the method of decryption isn't compromised as well.

 

[benh911f]

How about these companies actually lift a finger to secure this data before it gets exposed?

 

[rainafterthesun]

Still wondering how this effects sprint users

Sprint was so **** up in my experience.
Someone @ sprint was able to create a user profile with my info (but obv not all of it is correct as it wasn’t authorized aka wasn’t me) but they did have my old ssn from previous account w/them. Hit my credit report as a delinquency. Had to dispute and luckily was successful.

 

[gigatoaster]

Is it 50 thousands or 50 millions?!

 

[Sasparilla]

Wow they got the whole caboodle of info you can get.

Seeing the number of 50 million, not 50k mentioned in the article. Which would seem to be most of T's U.S. customer base.

As for why this happens over and over, its because there's no serious penalties for the companies and their executives when this happens. So the cost isn't high enough for them to spend the money....(its always that)

 

[velocityg4]

Maybe it's time the government develops a system for one time use keys for social security numbers. So, when companies want to do credit checks or background checks. It's only good for that one check and they don't get a persons real SSN permanently.

Perhaps for the purposes of credit. People can generate two keys. One being a one time use for a credit check. The second only able to send updates. Such as credit limits, usage, missed payments, &c. But is not possible to use for any new credit checks, lines of credit, &c.

That way people won't have to reveal their SSN. This could also be applied to employers, 1099 wages and so forth. They don't need your SSN. An alphanumeric key only good for reporting wages and such is all they need. As it would be keyed to your SSN.

Basically a system which minimizes the number of sources with your actual SSN. While still allowing checks and reporting. With random keys which have a limited scope of usage.

 

[bluespider]

that is big news.. especially to lose personal data of "prospective customers" that is an egregious breach of trust

 

[mzeb]

How about these companies actually lift a finger to secure this data before it gets exposed?

I suspect it was. However software and IT systems are created by humans and still fallible. These things will continue to happen.
What needs to happen is the passage of laws that when this data does leak the company is held responsible and the repercussions based on the severity of the information. ie, for each customer name that is leaked it’s a $10k fine and for each SSN it’s $1M. This will encourage companies to keep only the necessary data on customers or risk getting hit hard. I’m sure I already have another year or so of identity monitoring from a previous leak from some other company. This is a drop in the bucket compared to the potential damage caused.

 

[Freeangel1]

WOW! these guys using insecure Windows Servers tied to the Internet to keep their data on?
Or the better option LINUX!

I would always use LINUX servers in mission critical DATA.

Windows 10 and 11 client are great to use not connected to the internet.

But Windows Server is so insecure. I would never trust it to host large valuable data on the internet.

LINUX RULES for Mission Critical servers. UNIX even better !! BSD UNIX AWESOME.

 

[w5jck]

I’ve had T-mobile service for a decade now, and this is at least the third time this has happened in the past few years! I hate Verizon and AT&T too much to switch to those vultures. Besides, in this day and time it is pretty common to see companies experiencing these breeches. A few years ago the US government had some of their employees data breeched too. I had worked for the US gov't twice in the past, and they notified me of my information being breeched. Since then I keep my credit reporting accounts closed down to help against identity theft. I only open them up briefly if I need to apply for credit. Tis the world we live in these days...

 

[RUQRU]

Wow! This sucks. Not acceptable. Over 50,000 people. That s too much

50 MILLION! 50,000,000.