UPDATE: T-Mobile has confirmed that data belonging to the company may have been “illegally accessed”.
“We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved,” the company said in a statement to IT Pro. “We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed.”
T-Mobile added that the investigation will “take some time” but it is working with the “highest degree of urgency”.
“Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others,” it said.
The company also said that once it has a more complete and verified understanding of what occurred, it will then communicate with its customers and stakeholders.
16/08/21: T-Mobile has launched an investigation into a claim on an online forum which suggests that the personal data from over 100 million users have been breached.
The forum post doesn’t explicitly mention the company, but the seller told Motherboard they have obtained data related to over 100 million people and that this data came from T-Mobile servers.
The data reportedly contains social security numbers, driver license information, phone numbers, physical addresses, and unique IMEI numbers. Motherboard saw samples of the data and confirmed they contained accurate information on T-Mobile customers.
On the forum, the seller is asking for six Bitcoin, which is approximately $270,000, for a subset of the data which contains 30 million social security numbers and driver licenses.
"I think they already found out because we lost access to the backdoored servers," the seller told Motherboard, referring to T-Mobile's potential response to the breach.
Despite this, the seller said they had already downloaded the data locally and it is backed up in multiple places.
"We are aware of claims made in an underground forum and have been actively investigating their validity,” T-Mobile said in a statement to IT Pro. “We do not have any additional information to share at this time."
The five essentials from your endpoint security partner
Empower your MSP business to operate efficiently
Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network, said that the price for the records is "very cheap", at just 1 cent per victim. He said the data could be exploited to conduct targeted mobile attacks, social engineering, sophisticated phishing campaigns, or financial fraud.
"From a legal viewpoint, if the information about the breach is confirmed, T-Mobile may face an avalanche of individual and class action lawsuits from the victims, as well as protracted investigations and serious monetary penalties from the states where the victims are based," he said, adding that it would be premature to make a conclusion before T-Mobile makes an official statement on the quantity and nature of the stolen data.
In January this year, T-Mobile suffered a data breach affecting information government agencies considered to be highly sensitive. It affected around 200,000 customers and contained information such as customer phone numbers and the number of lines subscribed to on their account.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.