T-Mobile says hackers stole information on more than 40 million people
Hackers steal personal information from more than 40 million current and prospective T-Mobile US customers.
T-Mobile US said the attack that breached its computer network pulled Social Security numbers and other personal information of more than 40 million current and prospective customers.
The cellphone carrier said the stolen data included first and last names, birth dates, Social Security numbers and driver’s license information from a subset of current and potential customers. The victims included people who applied for credit with T-Mobile -- regardless of whether they ended up doing business with the carrier -- and about 7.8 million current subscribers with postpaid plans.
The breach is among the larger thefts of Social Security numbers, though leaks from various companies in recent years have exposed such data on tens of millions of consumers. A 2017 intrusion at Equifax Inc. exposed about 143 million Americans’ personal information, including names, addresses, birth dates and Social Security numbers.
T-Mobile said it would open an online portal with information for potential victims, though the web page wasn’t yet live early Wednesday morning.
The company said the breach also exposed the names, phone numbers and account PINs, or personal identification numbers, of about 850,000 of its customers on prepaid plans, which don’t require a credit check. Subscribers using the Metro by T-Mobile, legacy Sprint and Boost Mobile brands weren’t part of that group.
The company didn’t disclose the extent to which the various victim groups overlapped. Some of the 40 million people who lost their personal credit details might have been included among the count of users with postpaid plans, which often require a Social Security number or other information to set up an account.
The admission is the latest setback for T-Mobile, which disclosed the breach earlier this week in response to reports of its customer information for sale on a hacker forum. Vice’s Motherboard tech site earlier reported on the breach.
The company said early Wednesday that it had reset the PIN codes of all the affected prepaid accounts and recommended that postpaid users do the same. The carrier said it would offer two years of free identity-protection services from security firm McAfee.
T-Mobile said it found and closed an access point used to break into its servers. The company called the intrusion a “highly sophisticated cyberattack,” but offered few details about how it worked and when its security team discovered the lapse.
A person who tweeted about the attack before it was public and claimed to know the attacker described a breach that relied on lax security measures more than insider know-how or buggy code. This person said the attacker used an unprotected network gateway to reach the company’s backup servers, which stored unencrypted details on customers going back to the mid-1990s.
A sample of the stolen data set posted online included names, addresses and serial numbers that identify a user’s unique device and subscriber identity module, or SIM. Attackers could use the last data point to steal a victim’s phone number, a tactic known as a SIM swap that is often used as a launchpad for other fraud.
A T-Mobile spokeswoman on Wednesday said the company had disclosed all the information it had about the attack’s effect on customers.
The database breach appears to be the company’s largest so far. A unit of credit-reporting company Experian PLC leaked information about roughly 15 million T-Mobile subscribers in 2015, including encrypted Social Security numbers. Two more attacks in 2020 affected smaller groups of T-Mobile’s subscriber base.
Dow Jones Newswires
A tried-and-true investing pattern has lost its shape
Deciding which sectors and companies are cyclical versus defensive has suddenly gotten a lot more complicated.
The free world cannot let the frontline of the West be defeated
The editorial board of The Wall Street Journal calls for total victory over Iran and its terror network.