While saying its investigation is still ongoing, the company confirmed that records of over 40 million “former or prospective customers” who had previously applied for credit and 7.8 million postpaid customers (those who currently have a contract) were stolen. In its last earnings report (PDF), T-Mobile said it had over 104 million customers.
The data in the stolen files contained critical personal information included first and last names, dates of birth, Social Security numbers, and driver’s license / ID numbers — the kind of information you could use to set up an account in someone else’s name or hijack an existing one. It apparently did not include “phone numbers, account numbers, PINs or passwords.”
T-Mobile found out about the breach based on a forum post
That isn’t the end of it, either, as over 850,000 prepaid T-Mobile customers were also victims of the breach, and for them, the exposed data includes “names, phone numbers, and account PINs.” Affected customers have already had their PINs reset and will receive a notification “right away.” There was also unspecified information accessed for inactive prepaid accounts. However, T-Mobile says, “No customer financial information, credit card information, debit or other payment information or SSN was in this inactive file.”
Customers trust us with their private information and we safeguard it with the utmost concern. A recent cybersecurity incident put some of that data in harm’s way, and we apologize for that. We take this very seriously, and we strive for transparency in the status of our investigation and what we’re doing to help protect you.
The notice includes boilerplate language saying that “We take our customers’ protection very seriously,” but it rings especially hollow from T-Mobile considering that this is at least the fourth data breach exposed in the last few years, including one in January. According to the company’s statement, its investigation began based on a report of someone claiming in an online forum that they had compromised T-Mobile’s servers. A spokesperson for the FCC says in a statement that “Telecommunications companies have a duty to protect their customers’ information. The FCC is aware of reports of a data breach affecting T-Mobile customers and we are investigating.”
A Twitter account advertising stolen data for sale claimed the attack affected all 100 million customers and included IMEI / IMSI data for 36 million customers that could uniquely identify specific devices or SIM cards, but T-Mobile’s announcement does not confirm that is the case.
T-Mobile has added a page on its site where customers can go for information as well as shortcuts to change their PINs and passwords. It’s offering two years of free identity protection services from McAfee, recommends postpaid customers change their PIN, and mentions its Account Takeover Protection capabilities to prevent SIM-swapping attacks.
Update August 18th, 4:49PM ET: Added link and information regarding T-Mobile’s dedicated site, and its apology statement.
Update August 19th, 10:30AM ET: Added statement from the FCC.