T-Mobile US Data Breach Affects Over 40mn People

Mobile operator T-Mobile US has advised the public that the data breach revealed on a hacker’s forum is genuine. The telco’s ‘preliminary analysis’ confirmed that records relating to 7.8mn postpaid customer accounts and another 850,000 prepaid users were compromised. The hackers also gained visibility of 40mn records, including social security numbers and dates of birth, relating to former or prospective customers who had applied for credit.

An announcement on T-Mobile’s website stated they had closed the access point believed to have been used by the hackers. They also emphasized that there is…

…no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information.

However, a lot of valuable information was still obtained by the hackers.

Some of the data accessed did include customers’ first and last names, date of birth, SSN [social security number], and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.

Customers at risk have been offered 2 years of McAfee’s identity protection service for free. The PINs of the 850,000 affected prepaid customers were also breached, so T-Mobile has proactively changed them all. T-Mobile say there is no evidence that the PINs of any postpaid customers were compromised but are still recommending that all customers change their PINs anyway.

The anonymous online salesperson claiming to represent the hackers said they gained access via an insecure GGSN, reports GovInfoSecurity.

The individual claims that T-Mobile left a Gateway GPRS Support Node, or GGSN, that was apparently used for testing, exposed to the internet. GGSNs are part of the core infrastructure that connect mobile devices to the internet.

“From there, we pivoted through several different IP addresses and eventually got access to their production servers,” the person says in an instant message.

Eventually, the individual accessed more than 100 servers by brute forcing and using credential stuffing on internal T-Mobile servers, most of which were Oracle databases. None had rate limiting enabled.

T-Mobile’s customers should be aware of the risks of data breaches because they have suffered them several times before. Data for over a million prepaid T-Mobile customers was compromised by bad actors obtaining unauthorized access in 2019. The year before, hackers stole data relating to 2mn T-Mobile customers. And in 2015 credit bureau Experian were hit by a cyberattack that yielded the records of 15mn T-Mobile customers.

The share price of T-Mobile US at market close on Thursday was USD140.87, down 2.8 percent compared to the price at the end of last week, before the news of the hack had broken. There was a sharp drop in the share price when markets opened on Monday but it has remained stable since.

Nobody wants to hear that a security vulnerability allowed hackers to gain access to personal data. However, if we can trust T-Mobile’s figures then the scale of the breach is a lot less than the hackers’ original claims to have stolen the data of 100mn people. Customers may be fed up of hearing about data breaches, but neither they nor investors seem to do much about them. This week’s fall in the value of T-Mobile US shares is just a blip relative to the rise they have enjoyed in recent years. For good or bad, we all seem to treat data breaches as routine.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.