T-Mobile Leaks PII of ‘Every User’ in HUGE 100M+ Breach
T-Mobile US has lost control of its account database, hackers say. More than 100 million records are for sale—which is basically $TMUS’s entire user base.
If true, it’s the sixth such breach in as many years: Earlier leaks of PII came in 2015, 2018, 2019 and 2020 (twice). It’s an absolute shambles. Is CEO Mike Sievert’s standard grin a little less toothy today?
The data disclosed looks to be enough to steal any user’s identity. In today’s SB Blogwatch, we hide under the covers and weep magenta tears.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Relive your on-hold trauma.
Yet Another Leak
What’s the craic? Joseph Cox reports—“T-Mobile Investigating Claims of Massive Customer Data Breach”:
T-Mobile repeatedly declined to answer”
T-Mobile says it is investigating a forum post claiming to be selling a mountain of personal data. … The seller [claims] they have obtained data related to over 100 million people.
…
The data includes social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said. [I have] confirmed they contained accurate information on T-Mobile customers.
…
The seller is asking for 6 bitcoin, around $270,000, for a subset of the data containing 30 million social security numbers and driver licenses. … T-Mobile repeatedly declined to answer follow-up questions about the scale of the breach.
No information at all? Aakriti Bhalla peered in T’s drawer—“T-Mobile investigating”:
We do not have any”
“We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time,” a T-Mobile spokesperson said in a statement.
And Jon Fingas fingers the reason—“Giant customer data breach”:
Might affect virtually every user”
Yet another reported data breach. … The network has a less-than-stellar history of breaches in recent years. Hackers compromised sensitive customer info in late 2019, while a late 2020 attack scraped limited data for about 200,000 users.
…
[But] this is much more serious. T-Mobile had over 104.7 million customers as of the second quarter of 2021 — this breach might affect virtually every user. While it’s not certain just how much real damage has been done, you might want to watch out for suspicious activity.
Worrying. But a slightly sarcastic phalse phace is no longer worried:
I was worried”
Glad to see that T-Mobile is being consistent. … I was worried we wouldn’t see a data breach for 2021 considering there was one in 2017 and 2018 and 2019 and [two in] 2020.
Yet again? A fifth time? craftkiller is fed up with reading this story:
Again?”
Again? At what point does T-Mobile declare a state of emergency and bring in outside experts? It’s getting harder to be justify remaining a T-Mobile customer every year.
Wait. Pause. Make that six times. jonathanmayer goes back a bit further:
2015”
I served as CTO of the FCC’s Enforcement Bureau. … In 2017, the FCC determined that T-Mobile had violated federal law in a [2015] data breach involving customer credit information. There was reportedly no fine because Congress has imposed a strict one-year statute of limitations on FCC enforcement actions.
Who’s at fault? Greg Knieriemen—@Knieriemen—knows where the blame lies:
Lack of an air gap”
I love T-Mobile’s service but this looks like a pretty big deal. Data protection strategies have to include heavy scrutiny of what data is being stored and where.
Do SS numbers and driver licenses information all need online access? … And by “online access” I mean the lack of an air gap for critical data.
Why does T need that info at all? anoncoward69 explains:
They might think twice”
They take SSN and DL and run a credit check, because when you get a discounted phone and are paying for it over a 1 or 2 year term, they have essentially extended a loan to you.
…
They want to know you’re going to be good for making those payments over the term. If you’re missing a ton of CC and other loan payments, they might think twice, or require you to put more as a “down payment” for the phone. If you buy your phone outright, they probably still have to take a DL at minimum just to prove the account holder’s identity.
What can be done about it? cascom ideates an idea: [You’re fired—Ed.]
National register”
I feel like companies like this should have to register a data breach like this in a national register, and then should someone become a victim of identity theft, the companies on that register associated with that person should [share] the costs associated with that theft … without the victim having to show that it was a direct result of that breach.
Meanwhile, whodunnit? Prod_Deity deploys a clue:
*NSA has left the chat*
And Finally:
“Your call is important to us” Aaaaarrrrgh!
Hat tip: nospoon
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce:
Mika Baumeister (via Unsplash)
