T-Mobile’s SIXTH Breach in 5 years: 37M Users’ PII Leaks

T-Mobile US has been hacked yet again. In case you’re not keeping score, that’s the sixth time since 2018.

The “Un-carrier” is in-secure, it seems. Un-believable. In-credibly in-competent.

CEO Mike Sievert (pictured) should be un-happy. In today’s SB Blogwatch, we wonder if he might become un-CEO.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The Slav and the Furious.

Magenta Maladministration

What’s the craic? Eva Mathews and Lavanya Ahire report—“T-Mobile says investigating data breach”:

Compromised information
T-Mobile, the No.3 U.S. wireless carrier [is] investigating a data breach involving 37 million postpaid and prepaid accounts. … Customer data such as name, billing address, email and phone number was obtained, and it [has] begun notifying impacted customers, said T-Mobile.

Last year, T-Mobile agreed to pay $350 million and spend an additional $150 million to upgrade data security to settle litigation over a cyberattack in 2021 that compromised information belonging to an estimated 76.6 million people.

Let’s get some fresh air. All aboard the Brian Krebs cycle—“New T-Mobile Breach”:

Beginning around Nov. 25, 2022
[It’s] its second major data exposure in as many years. … T-Mobile said a “bad actor” abused an application programming interface (API) to hoover up data. … APIs are essentially instructions that allow applications to access data and interact with web databases. But left improperly secured, these APIs can be leveraged by malicious actors to mass-harvest information stored in those databases.

There are currently no signs that hackers are selling this latest data haul … but if the past is any teacher … scammers will [soon] target T-Mobile users with phishing messages, account takeovers and harassment. … Data stolen and exposed in this breach may also be used for identity theft.

The company … first learned of the incident on Jan. 5, 2023, and that an investigation determined the bad actor started abusing the API beginning around Nov. 25, 2022. T-Mobile says it is in the process of notifying affected customers.

Uh, “second in as many years”? How about sixth in five years? Or so Simon Sharwood says—“Crooks have this useless carrier on speed dial”:

Execs laughing this one off
The carrier’s flimsy security … has seen it repeatedly suffer data breaches. Here’s a summary:

2018 – Two million records accessed, including hashed passwords
2019 – Over a million customer records accessed, some personal data exposed
March 2020 – Employee email accounts compromised, and customer details accessed
December 2020 – A mere 200,000 customer records describing network information leaked
2021 – 48 million postpaid customers’ records posted to the dark web

That’s a mighty record of mistakes. … That sound you hear? Lawyers everywhere preparing class-action documentation. Or maybe the sound is T-Mobile US execs laughing this one off.

And it took 40 days to detect? That’s piss poor. Here’s SkyMarshal’s indictment:

Calling T-Mobile’s security “ludicrous” would be a compliment. For a company with their resources, especially after multi-billion $ injection from ATT’s failed merger, they are so bad at it, it’s inconceivable. I don’t know who they’re hiring or contracting with to secure their systems and design their protocols, but they are garbage.

They could have hired the best from security research community and/or the whitehat community to design and implement world class systems, protocols, and procedures – Apple and Google level stuff. But they seem to instead be [box ticking].

What’s a $TMUS customer to do? @RachelTobac has practical advice:

If you use T-Mobile or have friends/family with T-Mobile please remind them that this further increases their risk for SIM swapping, phishing, etc. Recommend folks w/ T-Mobile move away from SMS 2FA and toward at least app-based MFA if a match for their use case & threat model.

And the regulators? This Anonymous Coward counts the ways:

They need to add a 0 every time there’s a breach. At some point either they’ll fix the systems to avoid the fines or they’ll go broke from drowning under them. Either way the consumers win.

Sounds like a plan. Mike agrees:

The government isn’t issuing large enough fines for these breaches. Behemoths like T-Mobile can easily pay a few hundred million dollars without it impacting their bottom line. Fine them a few billion dollars and watch their cybersecurity increase in months instead of years.

Still, I’m sure the PR people are all, like, mea máxima culpa, right? Alumoi read the disclosure:

What? No ‘sophisticated cyber attack by a state sponsored bad actor’? No ‘we take the security of our users …’? Their AI PR bull**** spinner must be on vacation.

Meanwhile, red-iron-pine clarifies that this was an SEC-mandated message to investors:

The average T-Mobile user doesn’t really understand what a breach is, and the handful of network engineer / tech nerds … getting angry about it is superfluous to their bottom line.

And Finally:

Amazing Polish Blender shens

Hat tip: MC Chicken Sandwich

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: T-Mobile US

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi