The third most popular mobile network in the US, T-Mobile, has suffered a data breach that affected more than two million of its customers.
According to the company’s website, on 20 August 2018, T-Mobile’s inhouse security team noticed unusual activity that was immediately “shut down.”
Data potentially compromised before the shutdown included subscribers’ names, billing zip codes, phone numbers, email addresses, account numbers and account types (e.g. pre-paid or billed).
Apparently, no social security numbers (SSNs), financial data or account passwords were accessed during the attack.
The alert doesn’t mention the number of subscribers involved but this is being reported by Motherboard as just shy of 3%, or around 2.26 million accounts.
Users caught up in the breach would be contacted with further instructions, T-Mobile said, though the company didn’t say how or when that would happen. (Motherboard quoted a spokesperson as saying that affected customers would be told by text message.)
If there’s good news in this incident, it’s that the breach seems to have been noticed quickly by T-Mobile’s inhouse security team, and the company has told its customers within a matter of days.
In plenty of other breach incidents, companies have realised what happened only after they were contacted by a third-party researcher, by the attackers themselves, or, in the worst-case scenario, by customers reporting fraud attempts.
This is often weeks or months – sometimes even years – after the event, by which time a lot of damage has been done.
According to the Privacy Rights Clearinghouse, so far in 2018 (to early August) 513 disclosed data breaches covering 819 million records have been recorded. For comparison, the whole of 2017 saw 831 breaches covering just over two billion records.
Naked Security
T-Mobile suffers data breach affecting 2.2 million customers
The third most popular mobile network in the US, T-Mobile, has suffered a data breach affecting more than two million of its customers.
Tom Cooper
The customer information should be enough for a social engineering attack. They just need to call T-Mobile Customer Service to break into a customer’s account.
Hopefully, T-Mobile will request Social Security numbers. The attackers will be able to get that from the Dark Web.
Jim Gersetich
Social Security numbers are not supposed to be used for identification except in very limited circumstances (back accounts, government interactions, employement, and a few more).
Mike
T-Mobile allows customers to have PIN numbers to access account details. Customers should set this up if they haven’t. Additionally, T-Mobile has the ability to send 5 digit codes to customer’s phones and require the customer to supply the correct code before making account changes, which proves (in 99% of the cases) that the customer has physical access to the phone.
Steve
Well… actually, it only proves that someone *claiming to be* the customer has physical access to the phone. But I agree that it’s still a positive asset.
Paul Ducklin
Strictly speaking, it shows that someone claiming to be the customer has a SIM card with the number originally issued to the customer… a mobile “phone” number doesn’t go with the phone but with the SIM in it.
Tom
this explains the increased rate of unsolicited phone calls
Anonymous
Will this only affect US costomers and not UK/EU?
Paul Ducklin
It seems as though this is a US-only breach.
T-Mobile’s website is rather unhelpful, I’m afraid. It implies but doesn’t clarify which countries’ customers were breached. The company says “all customers who were affected have been contacted” – or will be soon, but they don’t say how long to wait or how you’ll be contacted.
You think they’d consider contacting everyone (it’s not as though they don’t have their phone numbers!) and saying whether they were affected or not.
Kate Soehnlen
I got a text message almost 3 days ago that included a link that gave a bit more information. Hopefully you’ll hear from them soon if you’ve been affected.
tomlynda2014
Come on people. Less than 3% were affected by this, and they have already been contacted. So if you haven’t heard, that’s good news.
Now if this had been Verizon, it would take months.
Paul Ducklin
Except that’s not what T-Mobile’s website said when I wrote my comment above. It fairly clearly said that if you haven’t heard yet… you may still yet do so.
A little bit of clarity would go an awful long way.