Cyberattack on Mobile Communications
T-Mobile Data Breach Impacts Nearly 50 Million Customers
On August 16, 2021, T-Mobile confirmed “unauthorized access” to its data in a breach that has affected over 50 million customers. In an August 17, 2021 post, T-Mobile broke down the number, stating that the breach affects as many as 7.8 million postpaid customers, 850,000 prepaid customers, and “just over 40 million” former or prospective customers who had previously applied for credit with the company. At the time of publication, the company is still actively investigating the breach and assessing its full impact.
The company has confirmed “some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.” At this time, it does not appear that financial information was exposed.
The data breach was first reported by Motherboard on August 15, 2021, based on an underground forum post claiming to have obtained customer records from over 100 million T-Mobile servers. The forum post stated the compromised data includes customer account names, Social Security numbers, driver’s license information, phone numbers, and unique International Mobile Equipment Identity (IMEI) numbers of phones on the account.
Motherboard claims to have confirmed the accuracy of samples of the compromised data. According to Motherboard, hackers are selling a subset of the data — containing 30 million unique Social Security numbers and driver’s license numbers — for 6 bitcoin, or about $280,000.
Krebs on Security posted this image of a sales thread tied to the stolen T-Mobile customer data:
SHOULD I BE WORRIED?
In addition to the high number of affected customers, the concern is the amount of personally identifiable information (PII) compromised in the breach, including Social Security numbers. In this case, there is a unique risk in the leak of both the phone number and IMEI number for individual customer’s phones. This combination could result in a SIM-swap attack and account takeover.
As mobile phones have become the de facto channel for two-factor authentication facilitated through SMS text, the implications of the breach for affected T-Mobile customers can be far-reaching. There is a threat of fraudulent credit accounts and fraudulent financial account access stemming from this breach. Any account an affected T-Mobile customer has that relies on SMS one-time passcodes is at risk of having those codes redirected, which could compromise activity on their deposit and credit card accounts.
This is not the first T-Mobile data breach. According to Sontiq’s BreachIQ™ database, this is the eighth breach since 2017, meaning this organization has lost customer data at an average of more than once per year. By comparison, AT&T and Verizon have had one each in the same period. Customers and prospective customers of the company need to be aware of this record.
To determine the impact a specific breach could have on an individual’s identity, we score it on Sontiq’s BreachIQ scale. The AI-driven technology analyzes over 1,300 data points of a data breach to assess the risk level and assign a 1 through 10 score. This latest T-Mobile breach currently rates a 5.
The score is based on information released at the time of publication. As we learn more about what data may have been compromised, the score will be updated.
3 TIPS TO PROTECT YOURSELF
If you are a former or current T-Mobile customer, or you have applied for a T-Mobile account, here are three actions you should take:
- Change passwords and PIN. If you used your T-Mobile password for other sites or apps, change those passwords immediately to strong, unique, and secure passwords. T-Mobile recommends all T-Mobile postpaid customers “proactively change their PIN by going online into their T-Mobile account or calling our Customer Care team by dialing 611 on your phone. This precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised.”
- Set up credit report monitoring. Commercial credit monitoring services can spot potential fraudulent opening of new accounts or even misuse of an account that you haven’t used in a while. Many also have the advantage of potentially sending you updates based on ongoing usage, rather than relying on you to check in with them or only allowing you to get an update once a year.
- Set fraud alerts on your credit reporting. A fraud alert keeps your credit information open while advising those making an inquiry to be more cautious when using it (both for existing and new account activity), typically requiring them to take additional steps to verify the applicant’s identity. Depending on your breach history, you might also consider a credit freeze.