The T-Mobile hack reported earlier this week has now been confirmed by the company. Some of the details differ from claims made by the hacker, but the carrier has admitted that 47.8 million records were taken – and not just from customers. You could be at risk if you have ever even applied for a T-Mobile account, whether or not it was ever opened…
T-Mobile also confirmed the claim that the personal data includes both social security numbers and driver’s license details for “a subset’ of people” along with account PINs for some.
On Monday, a hacker began offering for sale personal data from T-Mobile customers.
A hacker is selling what they claim is personal data from 100 million T-Mobile customers in the US, stating that this means full records for each customer.
The forum post itself doesn’t mention T-Mobile, but the seller told Motherboard they have obtained data related to over 100 million people, and that the data came from T-Mobile servers […]
Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile customers.
The data appears comprehensive: Names, Social security numbers, phone numbers, physical addresses, unique IMEI numbers, and driver’s license information.
T-Mobile initially said it couldn’t confirm or deny the privacy fail, but later confirmed that unauthorized access had occurred and that it was investigating what was accessed.
T-Mobile hack confirmed
The carrier has now issued a statement giving details of the data obtained in the security breach, which it says is from a mix of past, present, and prospective T-Mobile customers.
While our investigation is still under way and we continue to learn additional details, we have now been able to confirm that the data stolen from our systems did include some personal information.
We have no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information.
Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.
Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.
Though it then says PINs of prepaid customers were included.
At this time, we have also been able to confirm approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed. We have already proactively reset ALL of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away. No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed.
Although T-Mobile is trying to downplay the seriousness by stating that no financial data or passwords were obtained, the personal information would put those affected at significant risk of identity theft. The company does implicitly acknowledge this by offering two years of protection.
As a result of this finding, we are taking immediate steps to help protect all of the individuals who may be at risk from this cyberattack. Communications will be issued shortly to customers outlining that T-Mobile is immediately offering 2 years of free identity protection services with McAfee’s ID Theft Protection Service.
Additional protections include making it harder for accounts to be taken over, and recommending that all customers change their account PINs.
T-Mobile will be contacting those affected, but it sounds like you are at risk if you are a current customer, have been a customer in the past, or have ever applied for a T-Mobile plan, even if your application was declined or you changed your mind before the account was activated.
Photo: Jake Walker/Unsplash