T-Mobile confirmed a data breach Monday, affecting more than 54 million former, current postpaid and prospective customers. The company discovered the breach because it was posted on an online criminal forum.
This is the latest in a line of publicly disclosed data breaches. Since 2018, the company has disclosed four other security incidents.
As details of the breach continue to unfold, Cybersecurity Dive collected the need-to-know facts alongside questions that remain.
Who was impacted:
The T-Mobile data breach affected about 7.8 million current postpaid customer accounts and 40 million accounts of former and potential customers that applied for credit. On Friday, T-Mobile disclosed another 5.3 million postpaid customer accounts and 667,000 former customers were hacked.
The type of data accessed varies among users, but includes names, drivers' licenses, government ID numbers, Social Security numbers, birth dates, and T-Mobile account pins, the company said Wednesday. The company added that for the 7.8 million customers, their International Mobile Station Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) information was also part of the compromised data, in an updated statement Friday.
Because former customers were impacted by the breach, "urgent questions need to be asked about whether it is appropriate for T-Mobile to still hold this data at all," said Tony Pepper, co-founder and CEO of Egress.
The intrusion also exposed the names, phone numbers and account PINs of about 850,000 active T-Mobile prepaid customers but did not reach former Sprint prepaid or Boost customers. On Friday, T-Mobile found up to 52,000 names associated with Metro by T-Mobile accounts may have also been compromised, the company said.
For inactive prepaid customers, other information was accessed via prepaid billing files, though no financial information or Social Security numbers were exposed.
As with other breaches, T-Mobile is offering impacted individuals two years of identity protection. The company is encouraging customers to update their PIN numbers. "This precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised," the company said Tuesday.
While a forensic investigation is still underway, T-Mobile "located and immediately closed the access point that we believe was used to illegally gain entry to our servers," the company said in its Tuesday statement.
Secondary attacks weaponizing stolen consumer data will be the next issue T-Mobile will have to address, according to Pepper. The company will also have to comb through data it is still retaining. "We're living in an era of massive cyberattacks — and major organizations like T-Mobile must accept that they are a target," he said.
While the 48 million compromised records is far less than the 100 million rumored on a criminal forum, the incident is only the latest in a line of data breaches.
- September 2015: After an unauthorized party gained access to an Experian server, T-Mobile data hosted on it was breached. T-Mobile customers that applied for services or device financing between September 2013 and September 2015 were impacted.
- August 2018: About 2 million customers' names, birth dates, zip codes, phone numbers, emails, account numbers and account types (prepaid or postpaid) were potentially accessed illegally. The company reported the activity to authorities and was able to stop the breach at the time of discovery.
- November 2019: T-Mobile "quickly corrected" an incident that compromised some T-Mobile prepaid wireless accounts, which included names, addresses and rate plans. No financial data or Social Security numbers were accessed.
- March 2020: The telecommunications company found a "malicious attack against our email vendor" that breached some employee email accounts. Within those email accounts, some customer data might have been accessed. Personal information included names, addresses, Social Security numbers, and government identification numbers.
- January 2021: While the security incident did not expose names on accounts, email addresses, financial data, tax ID, or Social Security numbers, customer proprietary network information (CPNI) was accessed. About 200,000 customers were reportedly impacted.
T-Mobile does not list a security chief among its leadership page, though the company added Timothy Youngblood as SVP, CSO, and product security officer in April 2021. The company also has Dwaine Omyer, who has been VP of digital security since 2017, according to his LinkedIn. T-Mobile also has a CIO and CTO. Bill Boni served as the SVP of information security in 2009 but has since retired, according to his Linkedin.
While there were a number of security executives at Sprint, they did not carry over to T-Mobile when the merger was completed in April 2020 and the Sprint brand was absorbed. Mark Clancy, served as CISO of Sprint from July 2018 to August 2020, while Perry Siplon served as Sprint's CSO from April 2010 to April 2020.
Some companies might have different expectations between a CISO and a CSO, with CSOs responsible for all security, including the protection of physical and digital assets. "I can't speak for T-Mobile, but typically when companies don't designate a CISO, it's because they aren't taking their technologists seriously when they are ringing the alarm," said Amy Keller, partner and leader of the cybersecurity and technology law group of DiCello Levitt Gutzler.
"It's typically much cheaper to implement appropriate cybersecurity and hire specialists than it is to defend a data breach case," she said.
Some of the compromised data belonged to former T-Mobile customers, which is a lesson in data minimization. While storing old, irrelevant data is not something state data privacy laws forbid, it's not recommended.
"Privacy laws that do touch on data minimization only recommend it as a best practice or as a condition for achieving a safe harbor for allegations of improper security — like from a regulatory agency like the FTC," said Keller.
"Generally speaking, it's still the wild west in the United States for the types of information that companies can keep about us," she said.
Older data is typically stored on legacy systems. Companies may be unaware that they are still hosting irrelevant information — and carrying a potential security liability. However, in terms of potential data breach laws and penalties, older information might spare companies from fines.
"A company would certainly have a reasonable defense to a data breach if the data that was breached was outdated and could not be used to engage in identity theft," said Keller, Though some data, including Social Security numbers, does not have limits.
Update: This article has been updated to reflect changes in T-Mobile's estimates of breached users.