Over 1 Million T-Mobile Customers Victims in Data Hack
The “Un-Carrier” has announced that an unknown suspect has broken into its servers and made off with the personal data from over 1 million customers.
T-Mobile has had the festivities surrounding the finalization of its merger with Sprint and its current “Un-Carrier” and Black Friday promotions interrupted. It is now believed that more than 1 million T-Mobile prepaid mobile customers had their personally identifiable information stolen.
“Our Cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account,” T-Mobile wrote in a letter to its customers. “We promptly reported this to authorities. None of your financial data (including credit card information) or social security numbers was involved, and no passwords were compromised.”
“The data accessed was information associated with your prepaid service account, including name and billing address (if you provided one when you established your account), phone number, account number, rate plan and features, such as whether you added an international calling feature.”
T-Mobile has indicated that it has or will notify all affected customers. Previous customers, however, that do not have current contact information on file could also be affected. The company has invited anyone who may suspect their data was stolen in this hack to contact the Customer Care Center at 1-800-T-MOBILE (855-893-6338). Affected customers are advised to change their passwords and PINs.
Under FCC rules, T-Mobile was required to inform customers of the leak, as the data was considered “customer proprietary network information.” It is unclear if T-Mobile would have disclosed the information otherwise. The data leaked include the customers’ names, billing addresses, phone numbers, account numbers, and phone plan information.
“We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access,” the letter continued. “We truly regret that this incident occurred and apologize for any inconvenience this has caused you.”
This incident occurred in a time of growing data hacks and thefts. Despite this, there are examples that many companies are not taking the threat seriously.
On Friday, Wired reported that 4 terabytes of personal data — encompassing the Facebook, Twitter, LinkedIn, and Github profiles of 1.2 billion individuals — was left unprotected on the server of a search engine. This server — while holding no financial data or Social Security numbers — held almost 50 million unique phone numbers and 22 million unique email addresses.
“It’s bad that someone had this whole thing wide open,” Vinny Troia, the dark web researcher who found the server, said to Wired. “This is the first time I’ve seen all these social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associated account URLs. That’s a lot of information in one place to get you started.”
With the Capital One data breach — which affected over 100 million people — only 4 months in the past, it’s important to keep in mind that a person does not need to have a Social Security number or financial information to defraud you. With just a person’s name, current address, and date of birth, a fraudster can impersonate someone online, find and buy critical information on the person, and potentially gain access to bank and utility accounts.
As data hack remediation is always reactive — a data hack typically targets an exploit the system programmers or administrators were not aware of until the hack happened — there is no failproof way to prevent them.
As consumers, the only true defense is proper data hygiene. Among the things you should do to protect your data include:
- Regularly changing your passwords and PINs,
- Never reusing old passwords and PINs,
- Avoid using easily guessed sequences — such as your birthday or the last four digits of your Social Security number — as passwords or PINs,
- Avoid writing down your passwords and PINs, as these can be misplaced or stolen,
- Not using the same passwords for multiple sites, and
- Regularly checking your credit reports and reporting discrepancies promptly.