Euro Security Watch with Mathew J. Schwartz

Breach Notification , Governance & Risk Management , Incident & Breach Response

T-Mobile's Current Data Breach Tally: 54 Million Victims

Ongoing Probe Has Found More Data Was Stolen Than First Suspected
T-Mobile's Current Data Breach Tally: 54 Million Victims
Some customers of Metro by T-Mobile were also affected by the breach. (Photo: T-Mobile)

T-Mobile USA says the massive data breach that it suffered is worse than first reported, and that the count of prepaid and postpaid customers whose information was stolen has risen to 14 million. Meanwhile, its count of 40 million credit applications from former customers and prospects having been stolen was revised slightly upward.

See Also: Breaking Free from VPN Limitations: Simplifying Remote Access Security

The latest breach update follows the Bellevue, Washington-based mobile communications subsidiary of Germany's Deutsche Telekom on Tuesday confirming that attackers stole extensive amounts of information for 7.8 million postpaid customers, as well as a lesser amount of information for 850,000 prepaid customers. Postpaid refers to a mobile phone subscription plan that charges an individual at the end of the month for what they have actually used. Prepaid subscribers pay a flat, monthly fee for service.

On Friday, T-Mobile reported that the breach of postpaid customers' information was broader and that more types of data were exposed than it previously believed.

"We previously reported information from approximately 7.8 million current T-Mobile postpaid customer accounts that included first and last names, date of birth, Social Security numbers, and driver's license/ID information was compromised," T-Mobile says. "We have now also determined that phone numbers, as well as IMEI and IMSI information - the typical identifier numbers associated with a mobile phone - were also compromised. Additionally, we have since identified another 5.3 million current postpaid customer accounts that had one or more associated customer names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. These additional accounts did not have any Social Security numbers or driver's license/ID information compromised."

Other Numbers Adjusted

The breach also compromised credit applications for 40 million former and prospective customers, resulting in the theft of individuals' first and last name, date of birth, Social Security number and driver's license or other identifying information, T-Mobile said on Tuesday.

By Friday, however, T-Mobile reported finding that another 667,000 former T- Mobile customers' accounts had been accessed, resulting in the theft of their names, phone numbers, addresses and dates of birth. "These additional accounts did not have any Social Security numbers or driver's license/ID information compromised," it says.

The breach of prepaid customer information was less severe. On Tuesday, T-Mobile reported that 850,000 active customer names, phone numbers and account PINs had been stolen. It said it immediately reset all of the PINs. The same information was also exposed for an unspecified number of inactive accounts. T-Mobile also believed that no Metro by T-Mobile customers, or former Sprint or Boost customers, had been affected.

But on Friday, T-Mobile said that "up to 52,000 names related to current Metro by T-Mobile accounts may have been included" in the stolen information. It said the only information exposed was their names, and no personally identifiable information.

Attacker Claimed IMEI/IMSI Data Theft

The exposure of the postpaid customers' IMEI and IMSI information isn't unexpected. Notably, that was listed among the stolen data when the breach was first publicly revealed by someone with the Twitter handle @und0xxed.

A summary of the data allegedly stolen from T-Mobile

He claimed that customer data had been stolen by an affiliate named @Intelsecrets from "an insecure backup server" run by T-Mobile, where it "was sitting in plaintext."

Investigators Often Find Breaches Are Worse

T-Mobile's revising of the number of breach victims upward is not unusual. Often, as investigators continue to probe a breach, they find it's worse than they initially believed. Sometimes, however, investigators will find that a breach isn't as bad as it first appeared.

Regardless, the responsibility facing an organization that has been breached is to issue timely information that enables victims to best protect themselves - without overwhelming them with micro-updates and triggering "breach fatigue."

But that's the best-case scenario. Regulations can sometimes require organizations to alert authorities or the public more quickly, perhaps before they've had time to assess what really happened.

In other cases, corporate victims get caught out because a breach gets made public before they spot it. Notably, T-Mobile only appears to have learned about its breach at the same time as everyone else - when @und0xxed publicized it.

Data Breach Timing

Here's the timing so far behind this breach:

  • Sunday: The breach of T-Mobile is disclosed by an associate of the attacker, who says the data was exfiltrated beginning two or three weeks prior.
  • Monday: T-Mobile announces it's investigating and says it's brought in third-party experts and alerted law enforcement authorities.
  • Tuesday: T-Mobile confirms the breach. Given the risk of account takeover, identity theft and fraud facing postpaid customers, it says it will immediately offer those affected a prepaid, two-year subscription to McAfee's ID Theft Protection service.
  • Friday: T-Mobile revises upward the number of postpaid victims and types of information compromised.

More details about how this breach occurred - as well as the apparent T-Mobile security missteps that failed to prevent it - will no doubt be forthcoming - and not just from T-Mobile's own investigation.

On Wednesday, the U.S. Federal Communications Commission announced that it's probing the breach. "The FCC is aware of reports of a data breach affecting T-Mobile customers and we are investigating," an FCC spokeswoman tells me. "Telecommunications companies have a duty to protect their customers' information."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.