T-Mobile breach exposed personal data of almost 50 million people

Attackers captured the names, dates of birth, Social Security numbers and driver's license numbers of millions of current, former and potential T-Mobile customers.

Cyber security lock. Security computer Data Internet protection with lock, key on microscheme chip. Hacker attack and data breach, information leak concept.

Getty Images/iStockphoto

A cyberattack against T-Mobile has compromised the personal information of almost 50 million people, according to the carrier. In an update posted on Tuesday, the company said that certain customer data had been accessed and stolen by unauthorized individuals and that the data did include some personal information for a wide range of customers.

SEE: Security Awareness and Training policy (TechRepublic Premium)

The customer data obtained in the attack encompassed first and last names, dates of birth, Social Security numbers (SSNs) and driver's license/ID numbers.

Those impacted by the breach include 7.8 million current T-Mobile postpaid customers and more than 40 million former or potential customers who had applied for credit with the company. Also exposed were the names, phone numbers and account PINs of around 850,000 active T-Mobile prepaid customers.

T-Mobile said that so far there's no indication that any customer financial data, credit card details, debit or other payment information have been compromised. The company added that it found and closed the access point that it believes the attacker used to gain access to the customer accounts but gave no further details on exactly how the incident occurred or how its network was compromised.

At this point, the carrier has implemented the following measures to try to help affected customers:

  • Two years of free identity protection services with McAfee's ID Theft Protection Service.
  • Recommendation that all T-Mobile postpaid customers proactively change their PIN by signing into their account or calling the company's Customer Care center by dialing 611 on your phone. T-Mobile said it's advocating this step even though it isn't aware of any postpaid account PINs being compromised.
  • Offering Account Takeover Protection capabilities for postpaid customers, a feature that makes it more difficult for accounts to be fraudulently stolen and used.
  • A webpage with information to help customers take further steps to protect themselves. The page suggests additional actions for customers such as changing your account password, activating T-Mobile's Scam Shield on your phone and obtaining a free credit report.

The breach came to light earlier this week following a report that T-Mobile was investigating an underground forum post from someone claiming to be selling customer data obtained from T-Mobile servers, according to tech news site Motherboard. The data up for sale included Social Security numbers, phone numbers, names, physical addresses, unique IMEI numbers and driver's license numbers. Motherboard said it viewed samples of the data and confirmed that it contained details on T-Mobile customers.

In an online chat, the seller told Motherboard that they had compromised multiple T-Mobile servers. In the forum post, the seller was asking for six bitcoin (around $270,000) for a portion of the data that contained 30 million Social Security numbers and driver's license numbers, with the rest available for sale privately.

In a statement to Motherboard at the time, T-Mobile said: "We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time."

Another person reportedly involved in the attack told Information Security Media Group (ISMG) that T-Mobile was compromised after the carrier left a Gateway GPRS Support Node, or GGSN, misconfigured and exposed to the internet, reported Govinfosecurity.com. GGSNs are part of a core network connecting mobile devices to the internet.

The person claimed that the attackers had access to T-Mobile systems for two to three weeks before the carrier shut them down. They also said that the attackers moved to T-Mobile's LAN and then to the more than 100 mostly Oracle databases with user information.

"The attacker claims to have compromised an end of life GPRS system that was exposed to the internet and was able to pivot from it to the internal network where they were able to launch a brute force authentication attack against internal systems with no rate limiting, and I'm guessing no alerting functions either," said Chris Clements, Cerberus Sentinel VP of solutions architecture. "Assuming this is true, then as usual it isn't just one mistake that leads to a massive compromise, but a string of failures or absence of security controls that occur."

This is hardly the first time T-Mobile has been compromised. In fact, it's at least the fifth breach in just the past few years.

"The T-Mobile data breach proves that lightning certainly can strike twice--in fact, it can strike as many as five times--dating back to the company's data-scraping incident in 2018," said Keeper Security CTO & co-founder Craig Lurey. "Cyber experts have warned time and time again about secondary attacks, and we're now starting to see that the consequential attacks can actually be much more devastating than the first."

With this data seemingly up for sale by the attackers, potential buyers can use it to perform a variety of crimes.

"Hackers can use the stolen SSNs to gain access to existing bank accounts," said Accurics CISO Om Moolchandani. "Using the stolen identity, attackers can potentially get their name added to the account or simply transfer money. While the amount of data stolen might already be extensive, criminals can merge it with other information into a single database, increasing its value on the dark market. This also increases the chance of identity theft and major financial issues for the T-Mobile customer."

Now the onus is on T-Mobile to investigate the attack and take the necessary steps to beef up its security, although the company doesn't seem to have learned enough of a lesson from previous data breaches. Further, the burden is on T-Mobile customers to protect their accounts and data from further compromise.

"Affected customers need to take control of their information immediately and in every way possible," Lurey said. "First of all, change your passwords. The hackers are likely already connecting the dots to other platforms and services you log in to--changing your passwords now can act as a barrier to further entry."

Lurey also advised using a password manager to help control and change any passwords that may have been exposed. Multi-factor authentication is another recommended step to prevent criminals from signing into your accounts. Finally, you may want to tap into a Dark Web monitoring service to see which of your accounts and information may be up for sale.

Also see