Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Communications United States

T-Mobile Says At Least 47 Million Current and Former Customers Affected by Hack (techcrunch.com) 51

T-Mobile has confirmed that millions of current and former customers had their information stolen in a data breach, following reports of a hack over the weekend. From a report: In a statement, T-Mobile, which has more than 100 million customers, said its preliminary analysis shows 7.8 million current postpaid T-Mobile customers had information taken in the data breach. The carrier said that some personal data was also taken, including customer names, dates of birth, Social Security numbers and driver's license information for a "subset" of current and former postpay customers and prospective T-Mobile customers. The company also said that 40 million records of former and prospective customers was taken, but that "no phone numbers, account numbers, PINs, passwords, or financial information were compromised." But the company warned that approximately 850,000 active T-Mobile customer names, phone numbers and account PINs were in fact compromised, and that customer names, phone numbers and account PINs were exposed.
This discussion has been archived. No new comments can be posted.

T-Mobile Says At Least 47 Million Current and Former Customers Affected by Hack

Comments Filter:
  • OMG, if this was in the EU our GDPR legislation would slap them so hard!

    • "OMG, if this was in the EU our GDPR legislation would slap them so hard!"

      The Germans have a 43.2% share, they'll not be amused.

      • by Zak3056 ( 69287 )

        p>The Germans have a 43.2% share, they'll not be amused.

        No joke--there's a reason the logo is a magenta T.

  • I can't even bother to read further than the title of such articles anymore, because hardly anyone is ever held accountable and there's never a suitable penalty, hence crap like this happens again and again and again, and then smart guys in the comments tell you that hey there's no such thing as perfect security so deal with it and that's it (basically no accountability ever, shame on you for demanding it, and it's your fault your data is leaked and you should expect more of that and accept it).
    • by dknj ( 441802 )

      I'm half tempted to sue them for the entirety of what I paid them over the past 7 years. If they are not going to be serious with my data, then I want all of my money back.

    • by Brain-Fu ( 1274756 ) on Wednesday August 18, 2021 @02:41PM (#61705721) Homepage Journal

      YOU are accountable for your security. So, if you were included in the hack, regardless of any legal penalties for T-Mobile, it is still on you to take reasonable steps to protect your identity. That would be all of the following:

      1) Change you T-Mobile pin. They probably reset it for you already. Change it again, and not back to what it was before.
      2) Since your phone number was also exposed, get a new phone number too.
      3) Since your driver's license was exposed, relocate to a new address
      4) Since your name was exposed, have it legally changed, too
      5) Since your social security number, so apply for a new one (you have to do that in-person at the social security office).
      6) since your birth date was exposed, and there is no legal way to change that, you may have to hit the dark web to recruit a hacker that can get this changed for you.

      Long gone are the days when a simple password rotation was sufficient to protect your identity. Because, long gone are the days that businesses abstained from storing all your personally identifying information. Now they store everything they can get on you (usually in unencrypted text files or Excel spreadsheets on their amazon cloud with public access enabled).
       

      • YOU are accountable for your security. So, if you were included in the hack, regardless of any legal penalties for T-Mobile, it is still on you to take reasonable steps to protect your identity.

        All hyperbole aside, your smartest move is to freeze your credit report with all the major credit reporting agencies. You can do it online and it costs you nothing. It became federal law in the U.S. after several politicians had their own credit hacked, and quite suddenly something that the credit agencies claimed

        • Freezing your credit report doesn't hurt your score and doesn't block you from using the credit cards you already have. It blocks anything new that would require reviewing your credit report (like setting up new credit cards, which identity thieves love to do in your name). You can unfreeze it at any time, temporarily, when you want to borrow money.

          Some helpful info here [nerdwallet.com].

          • by zlives ( 2009072 )

            It does have a minor effect on your score, just from my personal experience. But after that you can just read the headlines and shake your head and not worry too much.
            Lockedin since experience fucktitude.

      • by Pascoea ( 968200 )
        I think the only reason this is modded "Insightful" is because "It would be funny if it wasn't so true" isn't an option.
      • 1: I went further than changing my PIN. I didn't even know about this hack, but T-Mobile managed to piss me off after being a customer for only about a month.
        2: it was a new and temporary phone number - I wanted to make sure T-Mobile provided good coverage before I switched the number that matters - coverage was fine
        3: They didn't ask for my DL info, but they do know my address
        4: Don't care - my name is already public record, as is my address too. Even if I change my name to Slashy McSlashdot, someone wi

    • The vast majority of companies just pay lip service to the notion of security. There are several reasons for this. First, security is a pain in the neck: it makes everything more complicated to use, and secure deployments are far more difficult to carry out and maintain. Second, pretending that you take security seriously is a good marketing ploy. Third, when the inevitable breach happens, it is far simpler for the company to intone a mea culpa and put up with the associated fines, perhaps cutting off a few

    • This is primarily why I refuse to give my social security number to anyone. Either they pick a random number for me when I tell them I do not have an SS number or I shop around until I find someone who will.

  • Doubled or trebled if they knew about the vulnerabilities beforehand.

  • We really need to stop harvesting and storing of user data. Why the fuck has a telco got people's SSN's?

    • Re: (Score:3, Insightful)

      by Bodie1 ( 1347679 )

      To run credit checks for post-paid accounts.

      Of course, the RESPONSIBLE thing (and possible requirement) is to delete them after the check is complete.

      • When I moved our family's cell phones over to T-Mobile (quite a few years ago), I had a dickens of a time because some previous T-Mobile customer had apparently used my SSN when they set up their account. And, of course, they were perpetually late paying their bills and eventually got terminated.

      • the RESPONSIBLE thing (and possible requirement) is to delete them after the check is complete.

        A more responsible thing is to fix our financial system so SSNs are no longer required to be both widely known and secret.

        SSNs should only be used as unique* identifiers. Using the knowledge of an SSN as authentication is idiotic and should be outlawed.

        * - Yes, I know that SSNs are not actually unique, which is also stupid.

        • The only legitimate use for SSN is for paying into my account with the social security administration when I am making the mandatory payments along with my taxes.

          Any other use of SSN should be made illegal and ought to already violate best standard practice. US credit agencies operate a moronic system ripe for abuse.

          • Wouldn't much matter. If we stopped using SSN as the way to track people from a credit reporting perspective, they'd come up with some other unique identifier that could just as easily be stolen.
            • there are ways to identify people not based on an 85 year old account system.

              • there are ways to identify people not based on an 85 year old account system.

                The advantage of the SSN system is that we already have it and everyone is familiar with it.

                There is nothing wrong with using SSNs as identifiers. We just need to stop using them for authentication.

                • There are still known issues with using SSN in terms of depositing money into accounts and with handling duplicate assignments at birth. Just because we've done something one way in the past doesn't mean that's the only way to do it. Your position is pretty anti-progress and frankly surprises me.

      • To run credit checks for post-paid accounts.

        Of course, the RESPONSIBLE thing (and possible requirement) is to delete them after the check is complete.

        Yes, but in the US, T-Mobile also wants to ding your credit report if you don't pay your (post-paid account) bill on time.

        But not only that, it wants to allow advertisers to target you based on your income level, demographics, and exact zip code. And this kind of aggregated information is like gold to them, since advertisers are willing to pay 10 to 20 times more for ads if they're able to reach the right target micro-demographics.

        We share data with 3rd parties for uses described in this notice or for purposes you have requested. For example, we may share data with credit bureaus and similar regulated entities [...] We may also share mobile device identifiers, device and service usage data, and demographics information with third-party advertising partners who may use data to serve ads for TMobile and others as described in the Advertising section. [...]

        Tell TMobile “Do Not Sell My Personal Information.” TMobile will not sell personal data to third parties when you tell us not to. Whether you opt out of the sale of your personal information or opt out using our advertising settings here, your info is not used in our ad program. Note that Assurance Wireless is not included in our ad program.
        https://www.t-mobile.com/priva... [t-mobile.com]

        And don't let the wording of those two opt-out options fool you. In the US, T

    • Because sheep just give out their SSN to anyone that asks.

      I am a prepaid customer, it seems my name and phone number were leaked - ohno! T-Mobile issued prepaid customers a new security pin. done.

      The reason for SSNs and other info is to run a credit check for their postpaid service - they have to make sure you are not a risk to default on that 'free phone on us.'
    • "We really need to stop harvesting and storing of user data. Why the fuck has a telco got people's SSN's?"

      And Why TF do they still have data of FORMER customers?

      • And Why TF do they still have data of FORMER customers?

        In the rest of the world, where GDPR means nothing, companies keep everything. If a customer comes back with a dispute, the company has detailed records of everything to fight back against a false claim.

        I'll say this - when I cancel Hulu for 11 months out of the year, I want them to keep my list of shows so I can quickly find them when I sign up for a month to watch them.

  • by zeiche ( 81782 )

    only 7.8M accounts? really? no, seriously really? how long will it be until the number is adjusted upwards a bit? and adjusted again? and again until all of their customers are included in the hacked class???

    us plebs are on to that scam.

    t-mo, i already have a lifetime of credit monitoring. you're gonna have to do better than offer a year of CM this time since you have been hacked over and over and over and over.

    • You appear to be fairly upset, why are you still with them after the previous incident? After this one?
      • by zeiche ( 81782 )

        which US carrier should i subscribe to? they have all been hacked. hence, free credit monitoring for everyone!

        • I'd like to be the credit monitoring company that's double-dipping+ on fees several times over for the bulk of the US.

        • by Pascoea ( 968200 )

          Straight Talk. The only thing* you need to sign up for their service is $50 and a phone that works on whatever network you want to use. If you're fine going to the store every couple months to buy a new prepaid card, you don't even need to give Straight Talk your Credit Card info.

          *It's been a couple years since I signed my wife/daughter up, I don't specifically recall having to give out Social Security number. I may have provided a home address/birth date to open an online account to do auto-pay, but aga

    • by zeiche ( 81782 )

      well that was fast. we're up to 47 million. what will it be tomorrow and why can't they just tell the truth the first time? this scheme of slowly escalating the scope of the issue IS PLAYED.

  • dates of birth, Social Security numbers and driver's license information

    None of my cellular or internet accounts has ever had my Social Insurance number, (I'm Canadian), or my driver's licence info. My cell provider has my DOB from when I signed up with them 25 years ago - I didn't know better, and it wasn't as much of a security problem back then. What in the actual fuck does T-Mobile need with all that information, and why don't subscribers tell them to go fuck themselves when they ask? Overreach, much?

  • Were they vaccinated or unvaccinated??
  • I prefer a strictly cash relationship with my cell phone company.
    It's cheaper for one thing!
    This is just bonus reason.

  • ...gives their driver's license number to a telco? Or their SSN?

Some people claim that the UNIX learning curve is steep, but at least you only have to climb it once.

Working...