Up to 100 million customers affected by T-Mobile data breach and cyberattack

Published 8/25/21 9:00AM

In case you missed it (which was pretty hard to do), T-Mobile suffered a breach affecting, at the last official count, 54 million victims. (Online criminals selling the data are claiming it affects 100 million users.) The breach—which T-Mobile is now stating is worse than originally reported— involves current and former customers, prepaid and postpaid customers, as well as credit applications from former customers and prospects. Data compromised (aka ‘stolen’) includes first and last names, date of birth, Social Security numbers (SSN), and driver’s license/ID information. In addition, T-Mobile is reporting that phone numbers, as well as information related to the International Mobile Equipment Identity (IMEI) and the International Mobile Subscriber Identity (IMSI) have been stolen. Last week, T-Mobile also reported that account data from almost 700,000 former T-Mobile customers were included in the breach, including first and last names, date of birth, Social Security numbers (SSN), and driver’s license/ID information.

The breach reportedly occurred as the result of an insecure (i.e., no password required) subdomain that T-Mobile employees were using as a customer care portal. According to the cybercriminal behind the attack, the data was “sitting in plaintext.”  

The impacts and consequences of a breach this size and affecting such sensitive and personally identifiable information (PII) associated with so many U.S. citizens cannot be understated. The effects will likely linger for months, if not years, to come. While fraud and credit theft are always a concern with SSNs, and spearphishing and social engineering attacks are almost guaranteed, the theft of the IMEI and IMSI information means that criminals will have a field day when it comes to the phone hijacking process known as SIM-swapping. And with so many individuals affected, including many in high-profile positions (CEOs and executives) or individuals working in sensitive jobs (government employees, individuals with clearances, scientists, or even cybersecurity professionals), the longer-term effects may be substantial.

In the case of SIM-swapping, all it would take would be for the criminal to request a new SIM card using the information gained from the victim’s account and install the SIM card on a different mobile device, while deactivating the victim’s legitimate mobile device. This could potentially give the criminal the ability to engage in sophisticated social engineering or access to usernames and passwords, mobile banking, and other sensitive information. It could also render two-factor authentication (2FA) useless since most individuals use texting as their 2FA source for things like password resets.

Malware sent via text links to victims is also a legitimate concern, since the malware could contain ransomware or backdoors that give the criminal access to a user’s sensitive information, as well as any connected business systems.

Next Steps

T-Mobile has indicated that investigations into the breach are ongoing, with third-party investigators involved. Law enforcement has also been alerted, and last week the Federal Communications Commission (FCC) announced it was probing the breach. T-Mobile is also offering victims a free two-year ID theft protection service, which includes credit monitoring, full-service identity restoration, identity insurance, and dark web monitoring.

In the meantime, individuals and businesses with T-Mobile accounts are advised to change their passwords immediately, freeze credit reports, and use the free T-Mobile ‘Account Takeover Protection’ and ‘Scam Shield’ services. Victims are also being advised to watch for any strange text messages that include links or ask for any personal or sensitive information such as passwords. T-Mobile users that receive unusual unsolicited text messages should not click on any links or respond, but instead forward the message directly to T-Mobile at “7726.”