By Matt O'Brien

The names, Social Security numbers and information from driver's licenses or other identification of just over 40 million people who applied for T-Mobile credit were exposed in a recent data breach, the company said Wednesday.

The same data for about 7.8 million current T-Mobile customers who pay monthly for phone service also appears to be compromised. No phone numbers, account numbers, PINs, passwords or financial information from the nearly 50 million records and accounts were compromised, it said.

T-Mobile has been hit before by data theft but in the most recent case, “the sheer numbers far exceed the previous breaches,” said Gartner analyst Paul Furtado.

T-Mobile, which is based in Bellevue, Washington, became one of the country’s largest cellphone service carriers, along with AT&T and Verizon, after buying rival Sprint.

“Yes, they have a big target on their back but that shouldn’t be a surprise to them,” Furtado said. “You have to start questioning the organization. How much are they actually addressing these breaches and the level of seriousness?”

T-Mobile also confirmed Wednesday that approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were exposed. The company said that it proactively reset all of the PINs on those accounts. No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed.

There was also some additional information from inactive prepaid accounts accessed through prepaid billing files. T-Mobile said that no customer financial information, credit card information, debit or other payment information or Social Security numbers were in the inactive file.

T-Mobile had said earlier this week that it was investigating a leak of its data after someone took to an online forum offering to sell the personal information of cellphone users.

The company said Monday that it had confirmed there was unauthorized access to “some T-Mobile data” and that it had closed the entry point used to gain access.

The company said that it will immediately offer two years of free identity protection services and is recommending that all of its postpaid customers — those who pay in monthly installments — change their PIN. Its investigation is ongoing.

T-Mobile has previously disclosed a number of data breaches over the years, most recently in January and before that in Nov. 2019 and Aug. 2018, all of which involved unauthorized access to customer information. It also disclosed a breach affecting its own employees' email accounts in 2020. And in 2015, hackers stole personal information belonging to about 15 million T-Mobile wireless customers and potential customers in the U.S., which they obtained from credit reporting agency Experian.

“It's a real indictment on T-Mobile and whether or not these customers would want to continue working with T-Mobile,” said Forrester analyst Allie Mellen. “Ultimately T-Mobile has a lot of really sensitive information on people and it's just a matter of luck that, this time, the information affected was not financial information.”

She said the hack didn't appear particularly sophisticated and involved a configuration issue on a server used for testing T-Mobile phones.

“There was a gate left wide open for the attackers and they just had to find the gate and walk through it,” Mellen said. “And T-Mobile didn't know about the attack until the attackers posted about it in an online forum. That's really troubling and does not give a good indication that T-Mobile has the appropriate security monitoring in place.”

Updated on August 18, 2021, at 1:15 p.m. ET with the latest details.

Share:
More In Business
‘Chainsaw Man’ anime film topples Springsteen biopic at the box office
A big-screen adaptation of the anime “Chainsaw Man” has topped the North American box office, beating a Springsteen biopic and “Black Phone 2.” The movie earned $17.25 million in the U.S. and Canada this weekend. “Black Phone 2” fell to second place with $13 million. Two new releases, the rom-com “Regretting You” and “Springsteen — Deliver Me From Nowhere,” earned $12.85 million and $9.1 million, respectively. “Chainsaw Man – The Movie: Reze Arc” is based on the manga series about a demon hunter. It's another win for Sony-owned Crunchyroll, which also released a “Demon Slayer” film last month that debuted to a record $70 million.
Flights to LAX halted due to air traffic controller shortage
The Federal Aviation Administration says flights departing for Los Angeles International Airport were halted briefly due to a staffing shortage at a Southern California air traffic facility. The FAA issued a temporary ground stop at one of the world’s busiest airports on Sunday morning soon after U.S. Transportation Secretary Sean Duffy predicted that travelers would see more flights delayed as the nation’s air traffic controllers work without pay during the federal government shutdown. The hold on planes taking off for LAX lasted an hour and 45 minutes and didn't appear to cause continued problems. The FAA said staffing shortages also delayed planes headed to Washington, Chicago and Newark, New Jersey on Sunday.
Boeing defense workers on strike in the Midwest turn down latest offer
Boeing workers at three Midwest plants where military aircraft and weapons are developed have voted to reject the company’s latest contract offer and to continue a strike that started almost three months ago. The strike by about 3,200 machinists at the plants in the Missouri cities of St. Louis and St. Charles, and in Mascoutah, Illinois, is smaller in scale than a walkout last year by 33,000 Boeing workers who assemble commercial jetliners. The president of the International Association of Machinists says Sunday's outcome shows Boeing hasn't adequately addressed wages and retirement benefits. Boeing says Sunday's vote was close with 51% of union members opposing the revised offer.
Load More