T-Mobile confirms fifth data breach in three years

T-Mobile has confirmed media reports from earlier this week that it had suffered a serious data breach. And it’s not just existing T-Mobile users who should be alarmed, but former and prosepective customers as well.

In an advisory published on its website, the telecoms giant warned that cybercriminals had accessed customers’ names, driver’s license details, government identification numbers, Social Security numbers, dates of birth, T-Mobile prepaid PINs, addresses and phone numbers.

The confirmation from T-Mobile came days after a hacker offered for sale on an underground forum data related to what they claimed were 100 million T-Mobile users.

Sign up to our newsletter
Security news, advice, and tips.

In its latest update for concerned customers, T-Mobile published its latest confirmed figures for the number of affected customers:

We previously reported information from approximately 7.8 million current T-Mobile postpaid customer accounts that included first and last names, date of birth, SSN, and driver’s license/ID information was compromised. We have now also determined that phone numbers, as well as IMEI and IMSI information, the typical identifier numbers associated with a mobile phone, were also compromised. Additionally, we have since identified another 5.3 million current postpaid customer accounts that had one or more associated customer names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. These additional accounts did not have any SSNs or driver’s license/ID information compromised.

We also previously reported that data files with information from about 40 million former or prospective T-Mobile customers, including first and last names, date of birth, SSN, and driver’s license/ID information, were compromised. We have since identified an additional 667,000 accounts of former T- Mobile customers that were accessed with customer names, phone numbers, addresses and dates of birth compromised. These additional accounts did not have any SSNs or driver’s license/ID information compromised.

Separately, we have also identified further stolen data files including phone numbers, IMEI, and IMSI numbers. That data included no personally identifiable information.

We continue to have no indication that the data contained in any of the stolen files included any customer financial information, credit card information, debit or other payment information.

As we previously reported, approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were exposed. We have proactively reset ALL of the PINs on these accounts. Similar information from additional inactive prepaid accounts was also accessed. In addition, up to 52,000 names related to current Metro by T-Mobile accounts may have been included. None of these data sets included any personally identifiable information. Further, none of the T-Mobile files stolen related to former Sprint prepaid or Boost customers.

It doesn’t paint a good picture, and as T-Mobile investigates further it’s possible the number of affected customers may increase.

But what perhaps is the worse statistic of all is that this is, by my account, the *fifth* data breach suffered by T-Mobile in the last three years.

Here are those previous incidents:

January 2021 – Hackers managed to access customer account information which may, in T-Mobile’s words, “have included phone number, number of lines subscribed to on your account and, in some cases, call-related information collected as part of the normal operation of your wireless service.”

March 2020 – T-Mobile reveals that hackers broke into employees’ email accounts and stole customer account information.

November 2019 – T-Mobile confirmed that more than one million prepaid customers were impacted by a breach which saw hackers access their names, phone numbers, billing addresses, T-Mobile account numbers, and details about rates and plans.

August 2018 – Hackers stole details of two million T-Mobile customers.

In its latest advisory, T-Mobile reminds the world that “customers trust us with their private information and we safeguard it with the utmost concern.”

I wonder how many customers really do trust T-Mobile, after five data breaches in such a short period of time?

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on Twitter at @gcluley, or drop him an email.