T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023.
Compared to previous data breaches reported by T-Mobile, the latest of which impacted 37 million people, this incident affected only 836 customers. Still, the amount of exposed information is highly extensive and exposes affected individuals to identity theft and phishing attacks.
"In March 2023, the measures we have in place to alert us to unauthorized activity worked as designed and we were able to determine that a bad actor gained access to limited information from a small number of T-Mobile accounts between late February and March 2023," the company said in data breach notification letters sent to affected individuals just before the weekend, on Friday, April 28, 2023.
T-Mobile said the threat actors didn't gain access to call records or affected individuals' personal financial account info, but the exposed personally identifiable information contains more than enough data for identity theft.
While the exposed information varied for each of the affected customers, it could include "full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines."
After detecting the security breach, T-Mobile proactively reset account PINs for impacted customers and now offers them two years of free credit monitoring and identity theft detection services through Transunion myTrueIdentity.
A T-Mobile spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today to ask for more details.
Second data breach disclosed in 2023
This is the second such incident T-Mobile has revealed since the start of the year, with the previous data breach disclosed on January 19, after attackers stole the personal information of 37 million customers by abusing a vulnerable Application Programming Interface (API) in November 2022.
The mobile carrier spotted the threat actors' malicious activity on January 5 and cut off their access to its systems within 24 hours.
T-Mobile described the data stolen in the January breach as "basic customer information," including "name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features."
Since 2018, the mobile carrier has disclosed seven other data breaches, including one that exposed the information of roughly 3% of all T-Mobile customers.
Other incidents reported by T-Mobile during the last few years include:
- In 2019, T-Mobile exposed the account information of an undisclosed number of prepaid customers.
- In March 2020, T-Mobile employees were affected by a data breach exposing their personal and financial information.
- In December 2020, threat actors accessed customer proprietary network information (phone numbers, call records).
- In February 2021, an internal T-Mobile application was accessed by unknown attackers without authorization.
- In August 2021, hackers brute-forced their way through the carrier's network following a breach of a T-Mobile testing environment.
- In April 2022, the Lapsus$ extortion gang breached T-Mobile's network using stolen credentials.
Update May 01, 16:25 EDT: A T-Mobile spokesperson provided the following statement after the article was published, but didn't reply to a follow-up email asking for more info on how the credentials used in the incident were compromised and if they belonged to employees.
We notified a small number of customers that our systems and processes worked to detect and stop a bad actor who was accessing accounts using compromised credentials. No personal financial account information or call records were included. We take these issues seriously and have taken steps to proactively protect the impacted customer accounts and to help prevent recurrence. We’ll continue to investigate what occurred to expand the safeguards we have in place. - T-Mobile
Comments
mikebutash - 1 year ago
Ok, at what point does the FCC actually get involved in them giving up the nookie time and time again in breaches to say "No more, you are too stupid or lazy to do business?"
Them paying the fine and falling to the same trap again months later yet again screams of insanity and simple lack of responsibility being a holder of Personally Identifiable Information in keeping our data safe. Take away their right to do business, maybe they'll actually do something about it properly!
I just moved to Mint Mobile weeks before acquisition, I guess it's already time to move to another MVNO on AT&T's network again. I don't see them in the news every other week for security breaches.
Drags - 1 year ago
On a more serious note - what do you think is more troublesome. A company that is actively disclosing issues or a company that never "had any issues" until found out and then just goes "ups"?
AutomaticJack - 1 year ago
Nuts.
The clients in the market can only do so much by quitting their carrier. There will always be people who don't care or don't read the news and will carry on as usual. Bar a slap on the wrist wonder what else it will take to have them straighten up? Maybe a slew of clients getting wrecked as a direct consequence of these recent breaches.
KMacintosh - 1 year ago
No surprise. T-Mobile was never a serious carrier until they started to pull a Verizon and cover clever areas (VZW often didn't fully cover areas until recently) and claimed full coverage. It's impressive that Legere came in and made some noise in 2014 or whenever, but I don't know who can take them seriously as a carrier. They are not even cheaper anymore, not even close. Especially when after the UnCarrier Hipster Hype, they then gobbled Sprint right up and created a triopoly in the US.
I don't live exclusively in a city, so my choices are Verizon and AT&T. And I like my choices. VZW is the real expert at network (they not only cover, but they actually set up 5G correctly so it works in tandem with 4G, not decoupled so LTE-only mode doesn't work, and they aggressively use the absolute best frequency, unlike anyone else), and no one is ever going to touch that.
T-Mobile acts very much like a German-owned company would in an American market, regardless of how "independent" they are. And no one can do American-business like an AMERICAN company. It's obvious. FCC needs to tell T-Mo -- get your $#%^ straight, or pack up and go back to Germany.
Drags - 1 year ago
You funny - the only thing more nationalistic is the missed fact that most AMERICAN companies are actively selling your data already. So why bother with the rest?
wackoinWaco - 1 year ago
I moved from T-Mobile after the August 2021 breach to Verizon. I was
happy with the lack of data breaches there.
The plan was $$$$, but I bit the bullet...until...
I'm saving $50/month with Ting Mobile now. They have two networks to choose from - Verizon or T-Mobile and it's obvious which one I chose.
All of the comments above should (but won't) make T-Mobile wake up!!
misericordium - 1 year ago
T-Mobile is simply incompetent irresponsible and misleading at best.