The Saga of T-Mobile Data Breach
Table of Contents
- When Were T-Mobile’s Past Data Breaches?
- T-Mobile’s 2020 Data Breach
- T-Mobile’s 2021 Data Breach
- 2022 Class Action Settlement
- T-Mobile’s Most Recent (2023) Data Breach
- How to Check if You’re a Victim of a T-Mobile Security Breach
- T-Mobile Data Hacked? Here's What to Do
- Can a T-Mobile Data Breach Lead to Identity Theft?
- What to Do to Protect Yourself Against Cybercriminals
- By David Lukic
- Aug 17, 2020
T-Mobile has experienced a number of data breaches in the past decade. The first case occurred sometime between September 1 to September 16, 2013. More information was lost in 2015, and there was at least one data breach every year from 2018 to 2021 as well.
T-Mobile kicked this year off wrong by announcing its latest breach in late January of 2023. This incident lost data on approximately 37 million customers, which is neither their largest nor smallest loss.
The main danger of T-Mobile’s latest blunder is the growing body of proof that the company isn’t attempting to right its course. Businesses have an inherent responsibility to protect the data they collect on their customers, and T-Mobile has failed in this responsibility for nearly a decade.
Tech experts called the company’s ability into question in the 2021 breach, which resulted in a half-billion-dollar settlement. Who knows what will happen now that a second breach occurred less than a year later.
When Were T-Mobile’s Past Data Breaches?
T-Mobile customers’ information was accessed through the Experian data breach from 2013 until 2015, and T-Mobile experienced its own data breach in 2018, affecting 2 million customers. The Experian incident was far more severe, affecting 15 million customers and exposing things like social security numbers, passport, and driver’s license numbers as well as financial data.
The 2018 T-Mobile data breach, however, only afforded cybercriminals things like names, billing addresses and zip codes, dates of birth, phone numbers, email addresses, account numbers, and the account types. T-Mobile later admitted the hackers also got away with encrypted passwords.
The in-house T-Mobile security team shut down the breach quickly and notified customers through text messages. Moreover, prepaid customers of T-Mobile in 2019 saw their data get breached where about a million people witnessed identity theft. And lastly, in 2020, the incident of T-Mobile became one of the biggest Data Breaches of the year.
T-Mobile’s 2020 Data Breach
News spread like wildfire about the T-Mobile data breach, which appears to have been far worse than first expected. It was the sixth data breach for T-Mobile in just four years.
T-Mobile told the press that it had experienced a data breach but was careful to say they weren’t sure if any customer data was exfiltrated in the attack. They also downplayed the damage.
T-Mobile only admitted the data breach after Vice was contacted by hackers who divulged that they were in the process of selling “full customer info” stolen from T-Mobile servers and that the total cache contained more than 100 million customers.
T-Mobile said on Sunday that it was “aware of claims made in an underground forum,” and the company was “actively investigating their validity.”
As a follow-up, the company said they had repaired the vulnerability and are working urgently to investigate the data breach to assess the damage.
In its statement to the press, T-Mobile said,
“Until we have completed this assessment, we cannot confirm the reported number of records affected or the validity of statements made by others.”
T-Mobile elaborated with,
“We have determined that unauthorized access to some T-Mobile data occurred, however, we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed.”
The company will alert customers and stakeholders as the story unfolds and they uncover the whole truth about the breach. However, as they work on that, T-Mobile customers remain at risk from other types of fraud.
More Details from the Hackers
According to the dark web forum, hackers claim to have personal information from 100 million T-Mobile customers, including names, phone numbers, home addresses, and more sensitive data like social security numbers, driver’s license information, and IMEI numbers (unique identifiers tied to each mobile device).
According to Motherboard's first report about the breach, hackers are already selling a portion of the 100 million T-Mobile customers’ data for 6 bitcoin, about $280,000. Motherboard confirmed the sample and said it is accurate information.
Customers and victims of this data breach could face a whole host of attacks such as phishing through email or SMS text messages, scam phone calls, along with SIM card swapping where the user’s phone number is taken over, and they can no longer use their account. Hackers could also use customer phone’s to access other accounts by intercepting text messages for authentication.
T-Mobile’s 2021 Data Breach
T-Mobile lost the names, social security numbers (SSN), and identification data of over 50 million customers in 2021. Victims included former, current, and prospective customers of T-Mobile’s credit offerings. There were also an additional 8 million postpaid customers affected.
If there was one bright side to the event, the company reported that at least each profile’s payment information was spared. The hackers didn’t collect card PINs, account credentials, or banking information from any of the victims.
John Brinns, an American hacker located in Turkey, claimed responsibility for the attack. He stated that T-Mobile kept unprotected routers and weak addresses, which allowed him to steal information from over 100 servers.
His interview with the Wall Street Journal didn’t explain what he did with the information. However, most compromised data is sold on the dark web to use for identity theft or other cyberattacks. Brinn’s only stated that the T-Mobile attack’s purpose was to “retaliate against the U.S. for the kidnapping and torture of John Erin Binns.”
The company announced the breach a few days after investigating a minor incident of cell phone sales. Following the investigation, T-Mobile confirmed that they lost “some T-Mobile data” and had addressed the hacker’s point of entry.
Their official website response stated that they could only disclose a few details of the investigation due to working with law enforcement. It also couched the incident by bringing up the growing number of successful cyberattacks across all industries.
T-Mobile notified their affected customer base by August 27th. This was ten days after the information was stolen, a relatively quick response time. This swiftness may have come with the experience of their many previous breaches.
Non-victimized customers were shown a banner on the MyT-Mobile.com account page discussing the breach and urging data safety. The company also took extra steps to make up for their mistake, including:
- A free two-year subscription to McAfee’s I.D. Theft Protection Service
- Pushing harder on their free Scam Shield service
- Creating a web page outlining best practices for online safety
- Implementing Account Takeover Protection for postpaid clients
User accounts also had their PINs automatically changed to protect customers who were late in getting the notification. After all, not everyone logs into their T-Mobile account every day, and even when they do, many don’t look at their inbox.
2022 Class Action Settlement
The 2021 data breach was by far T-Mobile’s most significant loss of customer information. This made many tech experts wary of the company’s ability to learn from past mistakes and gave the cellphone giant a weak position in the inevitable lawsuit.
T-Mobile settled the class action suit the following summer and promised $350 million to damaged customers with individual payouts up to $25,000. The deal also included another $150 million earmarked for restructuring the company’s cybersecurity network.
One issue with this and similar class action suits, is that many companies feel it is a slap on the wrist. T-Mobile reported a revenue of $20 billion in the third quarter of 2022 alone. While $500 million is a staggering amount, it’s not much more than a ripple in the pool for most tech titans.
T-Mobile’s Most Recent (2023) Data Breach
The multi-million-dollar cybersecurity initiative wasn’t enough to make a difference, as T-Mobile experienced another data breach after only a few months. The latest breach lost the names, birthdays, and contact information of more than 37 million customers.
T-Mobile assures that no social security numbers, driver’s license information, or payment information were lost. The victim list is substantially smaller than the 2021 attack, but it is still the second largest in the company’s history.
A regulatory filing with the U.S. Securities and Exchange Commission reported that the attack first succeeded on November 25th, 2022. This means eight weeks passed between the initial data loss and T-Mobile’s announcement on January 19th, 2023. This is an extremely slow response considering the telecom giant’s history.
The time lag can be explained, but not justified, by how long it took to detect the malicious activity. The danger went unnoticed until January 5th, 2023, giving the attacker unrestricted server access for over a month. The compromised period included the holiday season in which droves of new customers come out of hiding.
The hacker attacked through an Application Programming Interface (API). An API enables the communication between different websites and applications. For example, businesses use APIs to connect with bank accounts for payments.
In T-Mobile’s response post, which looked very much like all its predecessors, the company boasted about shutting down the hacker’s access in 24 hours. It did not mention the length of time the threat went undetected or the number of affected accounts.
With the investigation still going on, it’s unclear whether T-Mobile will take new steps following its latest breach. However, they have begun notifying their customers through account notifications, emails, and phone contact.
How to Check if You’re a Victim of a T-Mobile Security Breach
If you were affected, then T-Mobile already text messaged you and alerted you via mail or email. They notified customers immediately, assuring them that no credit card data, social security numbers, or other financial information was stolen. However, they first thought passwords were not affected but then later discovered they were.
T-Mobile Data Hacked? Here's What to Do
If you are a T-Mobile customer and have not yet changed your account password, do so now. You can also review this notice here that T-Mobile posted for customers regarding the incident. Additionally, you should consider the steps below to secure your account further:
- If you have a credit card associated with your T-Mobile account, it might be prudent to cancel it and have the PIN # changed.
- Also, watch your bank and credit card statements carefully scanning for any suspicious activity.
- Be on the lookout for phishing emails that appear to come from T-Mobile but ask you to verify personal details or supply additional information by clicking a link or downloading an attachment.
- Monitor your credit reports and sign up for credit monitoring (IDStrong.com offers this service).
Can a T-Mobile Data Breach Lead to Identity Theft?
Yes, the information stolen is enough for hackers to steal your identity. The first hack gave cybercriminals a lot of personal information. That data may have ended up on the dark web and combined with the new information stolen; criminals could easily assume your identity and open new accounts and charge fees under your name. And, It’s always better to be safe than sorry, and there are things you can do to protect yourself, most importantly, statistics of identity theft support these claims.
What to Do to Protect Yourself Against Cybercriminals
With all the latest data breaches in the news, it is hard to believe that all your personal information isn’t just out there floating around waiting to be used. Even if it is, you can take precautions against that information being used to steal from you, take control of your computer or steal your identity.
- Install the best antivirus software on your computer and run scans often.
- Be on the watch for phishing emails and scams (emails that look legitimate but sound odd or urgent).
- Never click links or open attachments from emails.
- Carefully monitor your bank and credit card statements, always on the lookout for fraudulent activities.
- Do not give out your personal details to anyone you do not know well.
- Change your computer and device passwords often and use hard-to-guess, complex ones.
- Sign up for multi-factor authentication.
- Contact the three major credit bureaus (Experian, TransUnion, and Equifax) and initiate a fraud alert.
- Stay alert and watch out for many different types of fraud.
- Sign up for identity theft monitoring at once.
T-Mobile will notify customers once they have further information. However, in the meantime, customers should do everything they can to protect themselves from further harm.