According to the notification letters, the data accessed could include full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines. As a precaution T-Mobile has reset the account PIN for all customers affected by this latest breach.
Although this breach affected a small number of T-Mobile customers it does call their security methods into account given their history of data breaches. T-Mobile states that their detection systems “worked as designed” but cannot account for the dwell time of the attacker. If the attacker gained access in late February and their systems alerted them in late March, that is a big time difference to account for. Begging the question; has T-Mobile put the proper safeguards in place to protect their client data?
In January of 2023 (January 19th) T-Mobile disclosed that an API had been abused by threat actors which led to the disclosure of 37 million customer records. This attack began in November of 20022. The attack was not spotted until January 9th. I will give credit to T-Mobile for their response once they detected the abused API, they were able to boot the attackers out in less than 24 hours. Still the damage was done, 37 million customers’ basic customer information had been stollen from them.
This latest breach marks the 7th breach reported by the mobile provider since 2018, including one by the Lapsus$ group in April of 2022. Perhaps T-Mobile needs to take a look at their internal systems with an eye towards early detection and response.