While saying its investigation is still ongoing, the company confirmed that records of over 40 million “former or prospective customers” who had previously applied for credit and 7.8 million postpaid customers (those who currently have a contract) were stolen. In its last earnings report (PDF), T-Mobile said it had over 104 million customers.
The data in the stolen files contained critical personal information included first and last names, dates of birth, Social Security numbers, and driver’s license / ID numbers — the kind of information you could use to set up an account in someone else’s name or hijack an existing one. It apparently did not include “phone numbers, account numbers, PINs or passwords.”
That isn’t the end of it, either, as over 850,000 prepaid T-Mobile customers were also victims of the breach, and for them, the exposed data includes “names, phone numbers, and account PINs.” Affected customers have already had their PINs reset and will receive a notification “right away.” There was also unspecified information accessed for inactive prepaid accounts. However, T-Mobile says, “No customer financial information, credit card information, debit or other payment information or SSN was in this inactive file.”
The notice includes boilerplate language that “We take our customers’ protection very seriously,” but it rings especially hollow from T-Mobile considering that this is at least the fourth data breach exposed in the last few years, including one in January. According to the company’s statement, its investigation began based on a report of someone claiming in an online forum that they had compromised T-Mobile’s servers.
A Twitter account advertising stolen data for sale claimed the attack affected all 100 million customers and included IMEI / IMSI data for 36 million customers that could uniquely identify specific devices or SIM cards, but T-Mobile’s announcement does not confirm that is the case.
T-Mobile says it will publish a dedicated website with information for customers later today. It’s offering two years of free identity protection services from McAfee, recommends postpaid customers change their PIN, and mentions its Account Takeover Protection capabilities to prevent SIM-swapping attacks.