NY OAG warns T-Mobile data breach victims of identity theft risks

The New York State Office of the Attorney General (NY OAG) warned victims of the August 2021 T-Mobile data breach that they faced identity theft risks after some of the stolen information ended up for sale on the dark web.

The alert comes after individuals impacted in the incident were notified by identity theft protection services that their info was found online, demonstrating that affected consumers are now at heightened risk for identity theft.

"Information stolen in a massive data breach has fallen into the wrong hands and is circulating on the dark web," said New York Attorney General Letitia James.

"The guidance offered by my office can help prevent identity theft. I advise all New Yorkers to maintain their financial safety by following the guidance my office has laid out."

NY OAG's guidance advises consumers at risk to use credit monitoring services to be alerted within 24 hours when new changes are made, such as large purchases or newly added accounts.

They're also urged to consider placing a free credit freeze on their credit reports (via Equifax, Experian, or TransUnion) to block identity thieves from opening new credit accounts using stolen personal info.

Last but not least, affected consumers can also place fraud alerts on their credit reports to instruct creditors and lenders to take additional steps to verify their identity before issuing credits.

Data breach hit over 54 million T-Mobile customers

Information of T-Mobile's August breach surfaced after a threat actor claimed on a hacking forum to sell a database containing personal info of roughly 100 million T-Mobile customers.

The US mobile carrier confirmed the breach, later saying that the attacker stole records belonging to 54.6 million current, former, or prospective customers.

Data stolen in the incident includes Social Security numbers, phone numbers, names, addresses, dates of birth, T-Mobile prepaid PINs, and driver license/ID information.

Luckily, as T-Mobile claimed, the attacker didn't steal any customer financial information, credit card information, debit or other payment information during the incident.

T-Mobile's CEO Mike Sievert said at the time that the company closed the access points used to brute-force through the carrier's network and assured customers that "there is no ongoing risk to customer data from this breach."

The US Federal Trade Commission (FTC) said in February that Americans reported losing over $5.8 billion to fraud in 2021, a massive total increase of more than 70% compared to the losses reported the year before.

A quarter out of the total of roughly 5.7 million consumer reports filed last year with the FTC (almost 1.4 million) were reports of identity theft.