T-Mobile has confirmed that its systems have been hacked, with cyber criminals stealing the personal data of more than one million US customers.
According to the organisation, customer names, addresses, phone numbers, rate plans and plan features were all exposed.
Other sensitive information such as passwords and financial information weren’t affected.
In a statement issued to customers, T-Mobile said that it had discovered malicious, unauthorised access to its systems.
Few details of the breach have been made public, other than the fact that it was a cyber attack and that approximately 1.5% of T-Mobile’s 75 million customers were affected – about 1.1 million.
T-Mobile added that the suspicious activity was initially spotted at the beginning of November, with criminal hackers accessing the information of prepaid wireless account holders.
Although the organisation promptly reported the incident to the authorities, it has waited until now to inform customers and the public – presumably to ensure it had all the facts straight.
There are few things worse than announcing the details of a data breach only to later find that things are much worse than you initially thought. This happens all too often, with organisations facing an initial backlash, then adding fuel to the fire with more bad news.
Because the breach occurred in the US rather than the EU, it isn’t subject to the GDPR (General Data Protection Regulation), which would have required T-Mobile to inform customers within 72 hours of learning about it.
T-Mobile has declined to provide further details, such as whether the breach affected public-facing or internal website or database, how long the data was exposed and what the organisation did to address the issue.
Can T-Mobile be trusted?
This isn’t the first time T-Mobile has suffered a data breach. In August 2018, the organisation disclosed an incident that affected about 2.3 million customers.
That breach has a lot in common with this one, with T-Mobile saying at the time that the criminal hackers accessed customers’ names, contact information, account numbers and account types, but didn’t get hold of financial information or Social Security numbers.
However, the organisation later provided an update, adding that encrypted passwords were also exposed.
Multiple security researchers commented that T-Mobile was using a weak encryption algorithm, and advised customers to change their passwords.
Without knowing the full details of this latest incident, it’s hard to say whether T-Mobile should be considered a security liability or a second breach in just over two years is simply bad luck.
In T-Mobile’s favour is the fact that rival mobile phone providers on both sides of the Atlantic have also been breached in the past few years, which suggests that cyber criminals are actively targeted phone providers.
That shouldn’t come as a surprise, given that such organisations typically have tens of millions of customers, all of whom provide vast amounts of personal information.
Even if the crooks don’t access financial information, they have enough details to conduct account hijacking. This is a type of identity theft where scammers steal compromise an account and use it to commit further scams.
One way they might do this is to transfer their phone contract to a new phone number, then reset passwords to other accounts, using a one-time password sent by text.
What should you do?
Those in the UK should probably consider themselves safe, as one of the few details T-Mobile confirmed was that the breach was isolated to US customers.
Indeed, T-Mobile hasn’t operated in the UK since EE was formed in 2010, and EE hasn’t been a part of T-Mobile’s owner, Deutsche Telekom, since 2016.
For those in the US, T-Mobile has sent a text message to everybody who was affected by the breach, but if you haven’t been contacted, it doesn’t necessarily mean your information is safe.
There’s no information yet on how far back the breach dates, so you might have switched providers and/or phone numbers in the past few years and still be affected.
It’s also possible that the breach is more extensive than T-Mobile initially thought, or that the cyber criminals were able to hijack your account and intercept the notice.
If you’re in any doubt, you should change your password immediately and contact T-Mobile at privacy@t-mobile[.]com.