UPDATE 8/27: T-Mobile CEO Mike Sievert says the company has figured out how hackers gained access to its systems, and is now “confident that there is no ongoing risk to customer data from this breach.” But he declined to elaborate fully given that the investigation is ongoing. In a blog post, he writes:
“We recognize that many are asking exactly what happened. While we are actively coordinating with law enforcement on a criminal investigation, we are unable to disclose too many details. What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.
The carrier signed a multi-year deal with security firm Mandiant and consulting firm KPMG LLP to help with cybersecurity efforts going forward. “This is all about assembling the firepower we need to improve our ability to fight back against criminals and building a future-forward strategy to protect T-Mobile and our customers,” Sievert says.
As for those affected, T-Mobile has “notified just about every current T-Mobile customer or primary account holder who had data such as name and current address, Social Security number, or government ID number compromised,” Sievert says. “T-Mobile customers or primary account holders who we do not believe had that data impacted will now see a banner on their MyT-Mobile.com account login page letting them know.”
UPDATE 8/20: In a filing with the Securities and Exchange Commission, T-Mobile updated estimates of how many people are affected by the breach. It says (emphasis ours):
“We previously reported information from approximately 7.8 million current T-Mobile postpaid customer accounts that included first and last names, date of birth, SSN, and driver’s license/ID information was compromised. We have now also determined that phone numbers, as well as IMEI and IMSI information, the typical identifier numbers associated with a mobile phone, were also compromised. Additionally, we have since identified another 5.3 million current postpaid customer accounts that had one or more associated customer names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. These additional accounts did not have any SSNs or driver’s license/ID information compromised.
UPDATE 8/18: T-Mobile today confirmed that the personal information of millions of current, former, and prospective customers was stolen from its systems in a recent hack.
“Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile,” T-Mobile said in a statement.
Postpaid and Prospective T-Mobile Customers
“For a subset of current and former post-pay customers and prospective T-Mobile customers,” accessed data includes customers’ first and last names, date of birth, Social Security numbers, and driver’s license/ID information, T-Mobile says. Phone numbers, account numbers, PINs, passwords, or financial information were not compromised in any of those files, it says.
T-Mobile recommends that postpaid customers change their PIN via their T-Mobile account or by calling 611 on their phones, though “we have no knowledge that any postpaid account PINs were compromised,” it says.
Prepaid T-Mobile Customers
About 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were also exposed. Those PINs have been reset and T-Mobile will contact affected customers.
Some “additional information” from inactive prepaid accounts was also breached, but “no customer financial information, credit card information, debit or other payment information or [Social Security numbers were] in this inactive file,” T-Mobile says.
Metro by T-Mobile, Sprint, and Boost
Metro by T-Mobile, former Sprint prepaid, and Boost customers did not have their names or PINs exposed, T-Mobile says.
What Should You Do?
T-Mobile says it will publish a web page today with “information and solutions” surrounding the breach. In addition, it will:
- Offer two years of free identity protection services with McAfee’s ID Theft Protection Service.
- Offer its Account Takeover Protection services to postpaid customers, “which makes it harder for customer accounts to be fraudulently ported out and stolen,” the carrier says.
Breaches like this often lead to phishing attacks, so be wary of suspicious emails or text messages from people you don’t know asking you to click links and/or provide personal information. For more, see How to Avoid Phishing Scams.
“We take our customers’ protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack,” the company adds. “While our investigation is ongoing, we wanted to share these initial findings even as we may learn additional facts through our investigation that cause the details above to change or evolve.”
UPDATE 8/16: T-Mobile says in a statement that “we have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved.” The entry point for the attack has been closed, according to the carrier, which is now “continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed.” The full statement is below.
“We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed. We take the protection of our customers very seriously and we are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement.
Original Story 8/15:T-Mobile is investigating a data breach said to have compromised the names, Social Security numbers, and other personal information of more than 100 million people, Motherboard reports.
A hacker claims to have gained access to T-Mobile servers where that data was stored. That hacker is asking for 6 BTC, which is worth roughly $276,000 at Bitcoin’s current exchange rate, in exchange for the SSNs and driver’s license information of 30 million people. The rest of the data is apparently being sold privately rather than being made publicly available.
That data is also said to include phone numbers, physical addresses, and unique IMEI numbers associated with specific phones. This information could be used in spear-phishing attacks, which target specific people with personalized messages to make them more likely to click on malicious links or install malware, as well as other kinds of attacks on the affected individuals.
“We are aware of claims made in an underground forum and have been actively investigating their validity. Unfortunately, we do not have any additional information to share at this time,” T-Mobile said in a statement.
If confirmed, this would be T-Mobile’s fifth known breach in less than three years. The company previously disclosed breaches in 2018, 2019, and 2020 as well as January of this year. The severity of those breaches varied both in terms of what kind of data was compromised and in how many people—between 200,000 and 2 million—were affected.
“We are aware of claims made in an underground forum and have been actively investigating their validity,” T-Mobile tells Motherboard. “We do not have any additional information to share at this time.”
Editors’ Note: Editors’ Note: Story updated with comment from T-Mobile.