T-Mobile US has confirmed that personal data belonging to over 50 million current, former and prospective customers was exposed in a recent hack of its internal systems. The operator said that it did not appear that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information. Some of the data accessed included customer names, dates of birth, Social Security Numbers, and driver’s license/ID information for a subset of current and former postpaid customers as well as prospective T-Mobile customers.
T-Mobile estimates that over 13 million current T-Mobile postpaid customer accounts, around 875,000 active prepaid accounts and around 40 million records of former or prospective customers who had applied for credit with T-Mobile were affected. The prepaid users also had their phone numbers and PINs exposed. T-Mobile has already reset the PINs and is notifying the customers.
For the other customers, no phone numbers, account numbers, PINs, passwords, or financial information were compromised, T-Mobile said. Nonetheless, the operator recommends that they all change their PINs and is offering two years of free identity protection via McAfee’s ID Theft Protection Service. In addition, they may get Account Takeover Protection capabilities, which makes it harder for customer accounts to be fraudulently ported out and stolen.
The company’s investigation of the data breach continues, in cooperation with law enforcement authorities. “We take our customers’ protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack,” T-Mobile said in a statement. The company has put up a website with more information for customers affected.
A cyberattack could happen to any MNO, but the one that hit T-Mobile appears to be particularly egregious in terms of scope and type of data obtained. In addition, the operator’s response appears to have been less aggressive and effective than it should have been.
The first notice of the hack came not from T-Mobile itself but from a news website on 15 August, and T-Mobile confirmed it soon thereafter, which gave the impression that the operator was not proactive and not on top of the story. Then, T-Mobile sent messages to its customers that seemed to minimize the severity of the breach, for example, it said that “we have NO information that indicates your SSN [Social Security Number]” was accessed, whereas now it appears that SSNs were accessed in some cases. T-Mobile’s messaging did not acknowledge the fact that even though financial information was not stolen, the combination of phone numbers and names that go with them is extremely potent for the committing of crimes, and when SSNs are added into the mix, the risk of highly effective identity theft becomes even greater.
The sheer scope of this data breach should give not only T-Mobile but all mobile operators pause. The number 54 million is certainly a large one, but especially notable is the fact that the lion’s share of the exposed data (40 million individuals) came from people who were not even customers of the operator—either former customers or people who had indicated interest in opening accounts with T-Mobile but had not yet done so. That could even have a chilling effect on the mobile market in general, with prospective customers worrying that their data is safest if they do not make any moves in the direction of switching operators.
And finally, T-Mobile’s suggestion that customers change their PINs and its offer of two years’ free access to McAfee do not seem particularly persuasive. In the wake of such a disaster, decisive action and innovation are called for. Mobile operators all over the world should take notice and do all they can to ensure that they are the not the next victim, and that if they are, they respond in a way that genuinely rebuilds customer confidence.