T-Mobile has admitted that threat actors have stolen personal information on 48.6 million current, former and prospective customers.
The US carrier revealed in a notice yesterday that the breach affected 7.8 million current T-Mobile post-paid customer accounts, over 40 million records of former or prospective customers who had applied for credit and 850,000 active T-Mobile prepaid customers.
Previous reports had claimed that over 100 million customers might have been hit after a threat actor offered customer records for sale on a hacking forum.
T-Mobile said its investigation is still ongoing, and it’s unclear for now how the compromise occurred. However, the firm claimed that the “highly sophisticated cyber-attack” did not affect customers’ financial information.
Compromised personal data of post-paid customers and those applying for credit is thought to have included first and last names, dates of birth, Social Security numbers (SSNs) and driver’s license/ID information.
For the 850,000 active T-Mobile prepaid customers affected by the attack, the hacker is thought to have obtained names, phone numbers and account PINs.
T-Mobile said it’s offering affected customers free identity protection services for two years and recommends post-paid customers change their PIN, even though these numbers are not thought to have been compromised. The firm said it’s also offering account takeover protection for post-paid customers.
Ian McShane, field CTO at Arctic Wolf, said he was skeptical of the phrase “highly sophisticated” given the multiple breaches affecting T-Mobile in recent years.
“The disclosure is of course the right thing to do ethically and legally, but now people need to be on guard against opportunistic phishing and smishing attempts that take advantage of this new incident,” he added.
“The free ‘ID Theft Protection Service’ will be of little comfort for those who have had their SSN and related personal information exposed. The onus is once again on the consumer to change PINs and passwords, and maybe even consider switching phone numbers, as so many services can be linked for authentication purposes.”
There are fears that affected customers may be particularly exposed to SIM swapping attacks, where criminals use stolen personal information to pose as customers. They then trick sales staff into transferring the victim’s phone number to a SIM under their control, effectively hijacking any calls or texts, including log-in authentication codes from banks and other providers.