Hackers had access to the personal details of hundreds of customers for more than a month
T-Mobile US, Deutsche Telekom group’s flagship, disclosed a second data breach of 2023 having found hackers had access to the personal details 836 customers since late February.
The latest looks less than the one that came to light in January, which involved compromising personal information about 37 million people through a leaky API.
On the other hand, it’s acutely embarrassing that nobody noticed for a month and since 2018, the mobile carrier has failed to prevent seven other data breaches, outlined here in bleepingcomputer.
Enabling identity theft
T-Mobile acknowledged that although the hackers did not access the individuals’ call records or financial account details, but had gleaned personally identifiable information that could be used for identity theft.
At the end of last week, T-Mobile sent a letter to affected customers that read: “In March 2023, the measures we have in place to alert us to unauthorized activity worked as designed and we were able to determine that a bad actor gained access to limited information from a small number of T-Mobile accounts between late February and March 2023.”
While the exposed information varied for each of the affected customers, it could include “full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines.”
A closed stable door
After detecting the security breach, T-Mobile proactively reset account PINs for those affected customers and now offers them two years of free credit monitoring and identity theft detection services through Transunion myTrueIdentity.
It’s time DT upped its security game in the US.