Popular US mobile carrier T-Mobile has disclosed a data breach that led to threat actors accessing a “small number” of customer accounts, 836 to be specific, between late February and March 2023. The company maintains that no personal financial account information or call records were exposed.
As for the data that was exposed, it includes names, birthdays, contact information, account PINs, account and phone numbers, number of lines, IDs, balances, internal T-Mobile codes used to service customer accounts and perhaps the most worrisome — Social Security numbers.
As mentioned before, according to the filing with the Maine Attorney General’s Office, only 836 individuals were affected by the breach and T-Mobile is currently working on informing all affected customers. The company also reset affected customers’ account PINs and recommends updating them either by logging into the T-Mobile website or via customer support.
According to the notification sent to the affected users, T-Mobile teams were able to “identify the activity, terminate it, and implement measures to protect against it from occurring again in the future”. The company hasn’t shared any information on a specific attack timeline, vector or the nature of the attack itself. However, as is usual, the company is providing two years of free credit monitoring and identity theft detection services provided by myTrueIdentity to the affected users who can enrol by August 31.
While this might be a small breach given T-Mobile’s user base, this is already the second data breach the company has reported in five months since the year started. The previous was in January when a threat actor abused an API to access the personal information of about 37 million postpaid and prepaid customers including account information, including name, billing addresses, email, phone number, date of birth, T-Mobile account number, number of lines on the account and plan features.
In the News: Samsung temporarily bans employees from using ChatGPT