T-Mobile Data Breach Impacts More than 40 Million People

The hacker(s) who carried out the recent T-Mobile data breach obtained personal information on more than 40 million former or prospective customers who previously applied for credit with the carrier.

T-Mobile reported the latest findings from its ongoing investigation into the data breach first reported last weekend. A forum post claimed to be selling a mountain of personal data.

“Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile,” the carrier said.

Some of the data accessed did include first and last names, dates of birth, social security numbers, and driver’s licenses/ID information for a subset of current and former post-pay customers and prospective T-Mobile customers.

“At this time, we have also been able to confirm approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed,” the carrier said.

T-Mobile has reset all of the PINs. It also will be notifying impacted individuals.

“No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed,” it said.

T-Mobile also confirmed the hacker(s) assessed some additional information from inactive prepaid accounts. No customer financial information, credit card information, debit or other payment information or social security numbers were in this inactive file, it said.

T-Mobile Hasn’t Learned from Previous Breaches

Forrester’s Allie Mellen

Allie Mellen is analyst of security and risk at Forrester.

“According to the attackers, this was a configuration issue on an access point T-Mobile used for testing,” she said. “The configuration issue made this access point publicly available on the internet. This was not a sophisticated attack. This was not a zero day. T-Mobile left a gate left wide open for attackers. And attackers just had to find the gate.”

This is the fifth public T-Mobile data breach in three or four years, Mellen said. And this latest breach by far leaks the most sensitive data and exposes the most customers.

It seems T-Mobile hasn’t learned from these previous breaches, she said. That’s especially true considering it didn’t know about the attack until the attackers posted about it in an online forum.

“T-Mobile is offering two free years of identity protection for affected customers,” Mellen said. “But ultimately this is pushing the responsibility for the safety of the data onto the user. Instead of addressing the security gaps that have plagued T-Mobile for years, they are offering their customers temporary identity protection when breaches happen, as if to say this is the best we can do.”

Partitioning Data Crucial

Egnyte’s Neil Jones

Neil Jones is cybersecurity evangelist at Egnyte, a content governance platform. He said this is a classic example of the need for organizations to partition data. They should store highly-sensitive information separately from primary identification information such as names, addresses and phone numbers.

“The easier it is for a potential attacker to mine a company’s data, the more likely they’re able to generate financial gain on the dark web,” he said. “This is also a stark reminder that highly-sensitive data should always be categorized by your users’ business need to know, to prevent potential internal threats.”