A string of data breaches for T-Mobile that now dates back several years seems to be continuing without end, as the company has experienced two already in 2023. This more recent breach is relatively small, reportedly impacting no more than 1,000 customers, but those that are impacted will be dealing with the loss of some very sensitive information.
This follows an API scraping exploit that did not lead to highly sensitive information being stolen, but did leak some private profile information for around 37 million customers. The more recent data breach may have exposed account PINs, Social Security numbers, and driver’s license numbers belonging to the victims.
T-Mobile Data Breaches Have Become a Regular Phenomenon Since 2018
The carrier has now experienced eight data breaches involving the loss of personal information since 2018. These breaches have been of varying size and seriousness, but at least two have involved tens of millions of customers (and one of those also involved the theft of account PIN numbers). The company was also hit by Lapsus$ in 2022, and the gang reportedly stole source code after managing to buy an employee’s working login credentials on the dark web.
The most recent data breach is relatively small, with an estimated victim count of about 836 people at this time. But it is particularly damaging for those that are impacted as it appears to come from the customer records of postpaid subscribers, who generally submit much more personal information in order to verify their identity and open their accounts.
It is not clear how many of the 836 data breach victims had sensitive identification information taken. T-Mobile issued a statement saying that the information that was stolen varied by customer and that no payment information or call records were included. However, the information that was stolen is exactly what criminals would be looking for to execute account takeovers via a SIM swap attack, not to mention being key pieces of many other forms of financial fraud.
At minimum, it would appear that impacted customers had information that regularly appears on their billing statements stolen in the data breach: full names, home addresses, phone numbers, and information about the lines and phone plans that they have. T-Mobile has said that it has contacted the customers that are affected, reset their pins and is offering them two years of identity theft and credit monitoring detection services.
Though T-Mobile’s security record is becoming alarming at this point, there are few options for customers to make the jump to. It, Verizon and AT&T are essentially the three cellular carriers available in the United States at this point, with various “virtual operators” leasing space on their networks. The API scraping attack that hit T-Mobile earlier this year appeared to also include account information for users of one of these virtual operators, Mint Mobile, which has since been acquired by the company.