T-Mobile Breach is One of Many. Can it Be the Last?


By: Mary Jander

T-Mobile US (Nasdaq: TMUS) has suffered a major digital attack that’s exposed the personal information of at least 47 million customer records, prompting questions about the company’s cybersecurity preparedness.

“Late last week we were informed of claims made in an online forum that a bad actor had compromised T-Mobile systems,” the company disclosed in a statement. “We immediately began an exhaustive investigation into these claims and brought in world-leading cybersecurity experts to help with our assessment.”

What T-Mobile found was that the first and last names, dates of birth, Social Security numbers, and driver’s license (or other ID) information had been exposed for 7.8 million current postpaid mobile customers and 40 million past or prospective postpaid customers. Additionally, about 850,000 current prepaid customers had their names, phone numbers, and account PINs exposed to hackers. An unquantified number of inactive prepaid accounts were also compromised.

T-Mobile stated that “no Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed.”

The un-carrier is recommending that all postpaid customers change their mobile PINs or call Customer Care by dialing 611 on their phones for guidance. Additionally, T-Mobile is offering each compromised customer two years of McAfee’s ID Theft Protection Service for free. The company also has promised a dedicated Webpage to inform customers of how to “take steps to further protect themselves.”

Red Flags Waving Wildly

All of this sounds eerily familiar. Though T-Mobile boasts that customer privacy is a top priority and that “With T-Mobile, you don’t have to worry,” the cell service seller has had at least five data breaches within the last four years. These include the following:

  • In August 2018, 2 million customer accounts were reportedly exposed to an online attack, following at least two security weaknesses the company had identified as part of a “bug bounty” program.
  • In November 2019, personal data of about 1 million customers was exposed.
  • In March 2020, an email hack exposed an unspecified number of customers’ information, including financial data.
  • In January 2021, hackers broke into data on about 200,000 customers.

In all but the March 2020 attack, T-Mobile claimed that the exposed data didn’t include personal financial information but included items such as name, phone number, and driver’s license information – hinting that the same data was breached more than once.

Hackers Already Selling Data

The hackers responsible for the latest breach told online publication Vice's Motherboard section reporter that a subset of the information, including driver’s licenses and Social Security numbers for 30 million T-Mobile customers, is selling on the dark web for about $270,000 or 6 bitcoin. There is no indication at this point that T-Mobile is making any effort to pay a ransom fee for the data.

The hackers claim to have gotten in through a weak point in T-Mobile’s wireless data network that led them to steal over 100 Gbytes of customer information, including IMEI (International Mobile Equipment Identity) and IMSI (International Mobile Subscriber Identity) numbers, which identify each unique device and its SIM card. Here’s what one hacker, identified as "@und0xxed," reportedly bragged online:

“If you want to verify that I have access to the data/the data is real, just give me a T-Mobile number and I’ll run a lookup for you and return the IMEI and IMSI of the phone currently attached to the number and any other details.... All T-Mobile USA prepaid and postpaid customers are affected; Sprint and the other telecoms that T-Mobile owns are unaffected.”

Remedial Action Please!

The trouble at T-Mobile has happened too often to be coincidental. Clearly, it isn’t enough to expect customers to protect themselves with McAfee software, which has been T-Mobile’s public claim to securing customer information. It isn't enough to call in security experts after a breach, nor to rely on bounty hunters and dark-web forums for information.

Instead, T-Mobile needs to address underlying security problems in the un-carrier’s data centers, starting perhaps with zero trust for all data on T-Mobile servers, followed by the necessary protocols to back up data effectively, educate staff, and obtain continual evaluations from reputable security firms.

It’s more than puzzling that given the current ransomware pandemic, in which attacks rose 150% in 2020 and show signs of topping that figure this year, that T-Mobile seems content to protect its vulnerabilities with outdated and even careless approaches. Things could only get worse as the company escalates its 5G strategy. A leaking lifeboat could become a sinking ship.