T-Mobile investigating hack that affected 37 million customer accounts

vtqhtr413

Level 26
Thread author
Well-known
Aug 17, 2017
1,555
The Bellevue, Wash.-based wireless giant said its investigation thus far found that the bad actor accessed “a limited set of customer account data” including name, billing address, email, phone number, date of birth, and T-Mobile account number. The hacker did not breach or compromise the company’s systems or network, the company said, and was not able to access data related to payment information, social security numbers, driver’s licenses, or other financial info. The hack started on or around Nov. 25, and T-Mobile identified the bad actor Jan. 5. “We promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it,” T-Mobile wrote in the filing.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
Jul 23, 2022

While T-Mobile has agreed to pay out to those impacted, it has denied that it did anything wrong – including that it didn’t have sufficient data protections in place. Hopefully, the multi-million dollar investment T-Mobile makes will protect customer data in future attacks.
 

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
As this linked article states in its headline its their - "..8th breach in less than 5 years.."; I'd think very seriously about using T-Mobile.



 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
T-Mobile US today said someone abused an API to download the personal information of 37 million subscribers.
A T-Mo statement on Thursday explained the carrier has started informing people their personal data was accessed, and offered the opinion that "customer accounts and finances should not be put at risk directly by this event." Note the use of "directly" – an apparent acknowledgement that the siphoned records can be used as the basis for phishing, identity theft, and the like, meaning pain could be felt weeks or months after folks are warned of the security fiasco.

The press statement described the stolen data as "basic" and "nearly all of which is the type widely available in marketing databases or directories." Oh, so that's OK, then. No need to really worry about data security. Your personal info is already out there, everywhere, anyway. Thanks to companies like T-Mobile US, of course.
Here's a summary of T-Mobile US's troubles:
  • 2018 – Two million records accessed, including hashed passwords
  • 2019 – Over a million customer records accessed, some personal data exposed
  • March 2020 – Employee email accounts compromised, and customer details accessed
  • December 2020 – A mere 200,000 customer records describing network information leaked
  • 2021 – 48 million postpaid customers' records posted to the dark web
  • July 2022 – T-Mobile USA announces $550 million settlement of the 2021 breach
  • November 2022 - Contributes to $16m settlement of 2012 and 2015 breaches at Experian that entangled T-Mobile customers
 

goodjohnjr

Level 5
Verified
Jul 11, 2018
227
As this linked article states in its headline its their - "..8th breach in less than 5 years.."; I'd think very seriously about using T-Mobile.



It is unacceptable that this keeps happening. I am a T-Mobile customer, and I usually only learn of these hacks in the news instead of from T-Mobile.
 

enaph

Level 29
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,800
US mobile phone provider T-Mobile has just admitted to getting hacked, in a filing known as an 8-K that was submitted to the Securities and Exchange Commission (SEC) yesterday, 2023-01-19.


The 8-K form is described by the SEC itself as “the ‘current report’ companies must file […] to announce major events that shareholders should know about.”


These major events include issues such as bankruptcy or receivership (item 1.03), mine safety violations (item 1.04), changes in a organisations’s code of ethics (item 5.05), and a catch-all category, commonly used for reporting IT-related woes, dubbed simply Other Events (item 8.01).


T-Mobile’s Other Event is described as follows:


On January 5, 2023, T-Mobile US […] identified that a bad actor was obtaining data through a single Application Programming Interface (“API”) without authorization. We promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it. Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time.
 

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814

What's Next for T-Mobile After Yet Another Data Breach?​

"T-Mobile recently agreed to a $350 million settlement to resolve a class action lawsuit filed in response to a 2021 data breach that affected more than 75 million customers. As a part of that settlement, the telecommunications company also agreed to spend $150 million to improve data security, according to a SEC filing. But the company’s data breach woes continue.
T-Mobile has experienced at least five data breaches since 2018, according to Wired. On January 19, it released a statement on its latest breach. The company determined that a bad actor was able to leverage a single API to access customer data. The breach impacted “approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set,” the company reported in a SEC filing. While smaller than the 2021 breach, millions of customers still must contend with their data being exposed. And T-Mobile is faced with the prospect of the consequences of yet another data breach.

Potential Consequences

What could the consequences for T-Mobile look like? “They could certainly face another class-action suit, but we’ve also seen states strengthen data privacy laws in the past two years, which could land T-Mobile in hot water with state regulators differently than the previous breach,” Bill Bernard, area vice president of security strategy at cybersecurity services company Deepwatch, tells InformationWeek. Five states have comprehensive consumer data privacy laws, according to the National Conference of State Legislatures. Many more have introduced their own privacy legislation.
This breach may also impact how much the company plans to spend on shoring up its cybersecurity strategy. Though smaller in scope than the 2021 breach, this latest incident suggests the company still has work to do when it comes to data security. “This leak appears to be roughly one-third smaller, so we can expect the punitive expense to be concurrently smaller with this go-around. What we can’t know is how much more their efforts to ‘double down’ on cybersecurity will cost,” says Ivan Novikov, CEO and co-founder of end-to-end API security company Wallarm.

Long-Term Impact

In its SEC filing detailing the breach, the company noted that it does “not expect that it will have a material effect on the Company’s operations.” It also acknowledged that changes in customer behavior could negatively impact its operations. But for now, it does not seem that the company is anticipating major fallout from this breach.
“With consumer choice limited, and with their practical experience with their 2021 breach, I’m sure T-Mobile has done the calculus and recognized that even a major class-action suit won’t really impact them long term,” says Bernard.
If this pattern of breaches continues, the company could face more impactful ramifications. “It’s possible, if this pattern of a major breach every nine months or so continues, that customers, shareholders, and regulators will tire of it and demand real action,” says Novikov. He also notes that further investment in cybersecurity may affect the company’s rate of innovation and consequently its growth.
Repeated breaches could also eventually take their toll on customer loyalty. “Companies experiencing successive major security incidents need to start investing more heavily in the necessary systems and solutions to reduce their cyber risk, or they may have to completely rebrand, lose executives, and do some restructuring in order to retain any credibility among their customer base,” says Jesus Peña, executive vice president and chief experience officer of IT firm UDT.

Cybersecurity Investment

The argument for investing in cybersecurity is made clear by these kinds of breaches, but will it be enough?
“I fully expect that security spending and improvements will lag behind revenue-generating spending unless these things change,” Bernard anticipates. “Perhaps class-action lawsuits will eventually impact businesses enough to change this. Perhaps consumers will get protection with teeth through government agencies.”
Companies may simply consider data breaches inevitable and regulatory actions and class action lawsuits as an acceptable cost of doing business. “Unfortunately, I believe other companies are currently able to learn the wrong lessons: that these breaches are not extremely financially impactful, given the lack of consumer choice in many instances, the lack of regulatory teeth and other factors,” says Bernard.
“Modern companies need data to operate, and that data will leak at some point to some extent -- so, breaches are likely to continue,” Novikov points out. Rather than completely eliminating breaches, companies will more likely be able to differentiate themselves in the way that they respond to security incidents.
“A strong security program with deep detect, respond, and recover capabilities is crucial in today’s reality, unless you have the deep pockets to weather them as a cost of business, like T-Mobile seems to feel they can,” Bernard argues."
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
As this linked article states in its headline its their - "..8th breach in less than 5 years.."; I'd think very seriously about using T-Mobile.
And it's gone downhill from there, it seems even though far less in number were reportedly affected.


T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023.

Compared to previous data breaches reported by T-Mobile, the latest of which impacted 37 million people, this incident affected only 836 customers. Still, the amount of exposed information is highly extensive and exposes affected individuals to identity theft and phishing attacks.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
affected only 836 customers
Same trick, MailChimp tried after their breach? :rolleyes: Btw, I can't find where Bleeping got that number from.

Limited to 133 accounts
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top