T-Mobile Suffers Another Data Breach, Affecting 37 Million Accounts

The nation's second-largest wireless carrier on Thursday disclosed that a "bad actor" took advantage of one of its application programming interfaces to gain data on "approximately 37 million current postpaid and prepaid customer accounts." CNET reports: In an 8K filing with the US Securities and Exchange Commission, the carrier says that it was able to trace and stop the "malicious activity" within a day of learning about it. T-Mobile also says that the API that was used does not allow for access to "any customer payment card information, Social Security numbers/tax IDs, driver's license or other government ID numbers, passwords/PINs or other financial account information." According to the filing, the carrier believes that the breach first occurred "on or around" Nov. 25, 2022. The carrier didn't learn that a "bad actor" was getting data from its systems until Jan. 5.

The company's API, however, did reveal other user information, including names, billing addresses, email addresses, phone numbers and birth dates of its customers, their T-Mobile account numbers, and information on which plan features they have with the carrier and the number of lines on their accounts. The company said in the SEC filing that it has "begun notifying customers whose information may have been obtained by the bad actor in accordance with applicable state and federal requirements." In 2021, T-Mobile suffered a data breach that exposed data of roughly 76.6 million people. "T-Mobile agreed to a $500 million settlement in the case in July, with $350 million going to settle customer claims from a class action lawsuit and $150 million going to upgrade its data protection system," adds CNET.

Wow

[peterww]

> and $150 million going to upgrade its data protection system

So they paid themselves $150 million and didn't do jack shit, so really their fine was 200 Million. Whatever lawyer wrangled that deal got a big fucking bonus that year

Re: Wow

[dknj]

A t-mobile customerâ(TM)s data is only worth $5.41. Who is going to sue for $5

Itâ(TM)s time to start using privacy services and using an alternate identity when subscribing to these products

Re:

[Anonymous Coward]

They need to add a 0 every time there's a breach. At some point either they'll fix the systems to avoid the fines or they'll go broke from drowning under them. Either way the consumers win.

Re: Wow

[Miamicanes]

Exactly. AT&T sucks, and Verizon is proudly evil.

T-mobile is far from perfect, but at least it genuinely tries to be good, even though it occasionally drops a ball that AT&T ignores, and Verizon actively tries to mutilate and destroy.

Re:

[uncqual]

They did reduce the number of customers whose information was breached from 76.6M last time to 37M this time - that's about a 50% reduction.

T-Mobile may count that as "success" and "job well done" (at least for purposes of executive bonuses).

Sorry guys.

[Narcocide]

They were looking for me.

Dear T-Mobile:

[DesScorp]

"Get More" was supposed to be for your customers, not Ivan or Oleg or Zhao.

Already Compromised

[Archangel Michael]

I consider my info as already compromised at this point. IMHO if one issues credit or otherwise give access based on my compromised data, to anyone NOT me, that's on them. I shouldn't be on the hook for any losses based on activity I didn't authorize.

Re:Already Compromised

[Tora]

The burden of proof for financial transactions is completely ass-backwards.
It's on you to prove you DIDN'T do something, not on the banks to prove you DID.

Authorization/signatures is one place where public blockchain makes a lot of sense.
I've love to tell all the banks:

The only way I'm accepting financial liability for a contract for debt is if it has a signature for that contract on this public blockchain, with my key.

The burden of proof is back on them at that point. I have a cryptographic proof mechanism to approve these things, and anything else is fraud.

Re:

[Archangel Michael]

Public Keys are a great start, but I wouldn't want that to be the only thing proving me or authorizing anything. I would want broad sweeping time consuming steps that a bot or cracker is unlikely to follow through with.

Security isn't convenient and convenience isn't secure.

Last time this happened...

[williamyf]

I argued about T-Mobile having a "save-face" card in the form of "integration pains" with T-Mobile and Sprint's systems. And that the way forward was to say that they would take best of breed brapctices of the two companies to ensure that this did not happen again...

But this time around... no excuses! The company did learn j4cksh17 from the past incident, and did nothing substantial behind the scenes to harden thir systems...

It suscks!

Birthdate?

[bagofbeans]

The company's API, however, did reveal other user information, including names, billing addresses, email addresses, phone numbers and birth dates of its customers

Why does a celphone provide need a customer's birth dates?

Re:

[Virtucon]

It's used to verify who you are if someone calls in for support and you're not using your phone number as listed with T-Mobile.
It's still PII and they need to get a handle on it. My ISP makes me go through 3 levels of asking, a PIN, a Phone Number, and an Account Number before they'll talk to me.

Don't worry, pretty soon the WEF will have your Iris scan, blood type, and DNA information for your new global passport.

Someone is not telling the truth!

[RitchCraft]

"T-Mobile said no social security numbers, credit card information, government ID numbers, passwords, PINs or financial information were exposed in the hack." - This makes zero sense to me. I hear this line from companies all the time. How is it you can keep the SSNs, credit card numbers, government IDs, passwords, PINs , and financial data safe from hackers but the other information you can't? So put all information in the same category as the "non-hackable" data. Sounds like a load of BS to me (probably because it is).

Re:

[Zak3056]

"T-Mobile said no social security numbers, credit card information, government ID numbers, passwords, PINs or financial information were exposed in the hack." This makes zero sense to me. I hear this line from companies all the time.

You know, I'm normally suspicious of shit like this as well, but your selective editing above is just plain egregious. Here's the actual claim from the summary:

T-Mobile also says that the API that was used does not allow for access to "any customer payment card information, Social Security numbers/tax IDs, driver's license or other government ID numbers, passwords/PINs or other financial account information."

That's a pretty important distinction, and actually does make sense.

How is it you can keep the SSNs, credit card numbers, government IDs, passwords, PINs , and financial data safe from hackers but the other information you can't?

By not giving the API access to that data? That's not rocket science, that just common sense.

So put all information in the same category as the "non-hackable" data.

Presumably, that would be a different API... so if you used that one, in this context, you would be giving the system using the data leaked here access to more information than it needed,

Re:

[whoever57]

T-Mobile also says that the API that was used does not allow for access to "any customer payment card information, Social Security numbers/tax IDs, driver's license or other government ID numbers, passwords/PINs or other financial account information."

That's a pretty important distinction, and actually does make sense.

But it does give access to birth dates? It seems a little unbelievable that it would give access to birth dates but not other financial information.

Re:

[RitchCraft]

Still smells like BS to me.

Another reason not to give them SSN

[schwit1]

At this point T-Mobile can't be trusted to secure sensitive data. To that end they should be required to deleted SSNs once the original credit check is done.

Not surprised

[Locke2005]

Somebody once got ahold of my T-Mobile phone number, and decided to use it to make $11 dollar payments by phone to my T-Mobile account using stolen credit cards to test if the cards were still active. I immediately informed T-Mobile that someone was making unauthorized payments to my account and asked them to cancel the payments, their response was "Only the owner of the credit card can do that!" Then, T-Mobile started charging me a $35 fee for each payment that was rejected, and that "You need to talk to

Statutory liability, again...

[alispguru]

Companies will stop leaking (and stop retaining info they don't need) when they reliably get hurt when they leak.

I propose a fine of $100 per person's data for every leak.
"Leaked data" means data that can be used for identity theft.

No class-action lawsuits, no requirement to show injury as a result of the leak.
No worthless data monitoring subscriptions, no $5/head settlements.

This event would have cost T-Mobile $3.7 billion.

Look in the mirror, probably not T-Mobile's fault

[xanthos]

Not defending T-Mobile, but since an API was used to pull data my suspicion is that a perfectly good set of credentials was used.

Ever hear of a developer being stupid enough to put credentials in a Git repo?

Ever hear of a developer being corrupt enough to sell company creds on the dark web?

Hanlon's razor time again.

At Least They're Consistent

[organgtool]

If my count is correct, T-Mobile has been hacked once per year for the past five years. At least they're consistent and at least I'll get another free year of credit monitoring - that makes it all worth it!

Re:

[LoisBrown1]

Today I would like to address all players . How do you have fun? For example, I like to play online casinos very much. But for a long time I could not choose for myself the ideal place to play at an online casino. I want you to pay attention to https://www.slotsup.com/free-s... [slotsup.com] . This is a cool casino.