Although this breach only affected 1,000 customers as opposed to the 37 million affected by the previous one, T-Mobile US Inc. disclosed another data breach, its second disclosed breach in 2023. This is the eighth data breach since 2018.
836 customers were impacted by the most recent data breach, which was found in March. T-Mobile classified the breach as unlawful conduct in which a bad actor had access to information from a small number of consumers between late February and early March in a letter to affected customers dated April 28. This letter was discovered today by Bleeping Computer.
The information obtained includes complete names, contact details, account numbers, and associated phone numbers, T-Mobile account PINs, Social Security numbers, government-issued IDs, dates of birth, balance due, and internal codes used by T-Mobile to service client accounts. No call records or financial account information were impacted.
Customers who were impacted have had their PINs reset by T-Mobile, and they are also being given additional two years of free credit monitoring and identity theft services. The letter makes no mention of T-Mobile getting in touch with law authorities or employing a third-party forensics company, which is often the case in similar situations. Nevertheless, the corporation undoubtedly already has a third-party firm on hand, and the most recent breach may have been simply added to earlier investigations.
T-Mobile mentions twice in the letter that it takes these problems seriously, but considering the company’s history of hacking, this is a highly speculative statement. To its credit, the business continues to remain ahead of malicious actors; we must continue to improve our measures to prevent unwanted access like this.
It’s the latest in a string of data breaches at T-Mobile. In the breach that was previously revealed in January, 37 million customer records, including personally identifiable information, were stolen. The theft began on or around November 25 and wasn’t discovered until January 5.
Previous T-Mobile hacks include the theft of 48 million records in August 2021 and the theft of 2 million customer records in August 2018. Prepaid customer data was stolen in November 2019, employee and customer data was stolen in March 2021, and 2 million customer details were stolen in August 2018. In April 2022, Lapsus$ also gained access to T-Mobile’s internal systems.
As a result of the breach in August 2021, T-Mobile consented to pay $500 million to resolve a class action lawsuit in July. The agreement stipulated that $150 million would be used to improve data security while $350 million would go toward a settlement fund.
According to Dror Liwer, co-founder of the cybersecurity firm Coro Security Ltd., “this incident highlights the need for smart automation when it comes to containment and remediation of data breaches.” “T-Mobile put safeguards in place to warn them of unauthorized activity, but the attacker had access to the information for a month,” said the company. That period of time would have been significantly shorter if automation had been used.
T-Mobile US Inc. reported its eighth data breach since 2018, affecting fewer than 1,000 users instead of 37 million in the latest hack. The March breach affected 836 customers. T-Mobile’s April 28 letter to affected customers, defined the breach as a bad actor obtaining access to a small number of consumers’ data between late February and March. Full names, contact information, accounts and (phone numbers, T-Mobile account PINs, Social Security numbers, government IDs, dates of birth, balance due, and internal codes used by T-Mobile to service) client accounts were stolen. Call and financial data were unaffected.
T-Mobile reset users’ PINs and provided two years of not paying credit monitoring and identity theft services. The letter does not mention T-Mobile contacting law enforcement or hiring a third-party forensics firm, which is customary in these cases. However, the business likely already has one and may have added the recent breach to earlier investigations.
T-Mobile asserts twice in its letter that it takes these issues seriously, but given its history of hacks, that’s subjective. Yet another T-Mobile data breach. The previous hack of 37 million customer records, including personally identifying information, began on Nov. 25 and was discovered on Jan. 5. T-Mobile was hacked in August 2018, November 2019, March 2021, and August 2021. In April 2022, Lapsus$ breached T-Mobile.