T-Mobile admits 37,000,000 customer records were stolen by a ‘bad actor’ – Naked Security

US mobile phone provider T-Mobile has just admitted that it was hacked, in a filing known as 8-K filed with the Securities and Exchange Commission (SEC) yesterday, 2023-01-19.

Form 8-K is described by the SEC itself as “Current Report” companies must submit […] To announce major events that shareholders should know about.”

These major events include issues such as bankruptcy or receivership (Clause 1.03), mine safety violations (Clause 1.04), changes to the organization’s code of ethics (Clause 5.05), and the blanket category, commonly used for reporting IT-related problems, is simply dubbed Other events (Clause 8.01).

The other T-Mobile event is described as follows:

On January 5, 2023, T-Mobile US […] Identified that a bad actor was obtaining data through a single application programming interface (“API”) without permission. We immediately launched an investigation with external cyber security experts and within one day of learning about the malicious activity, we were able to track down the source of the malicious activity and stop it. Our investigation is still ongoing, but it appears that the malicious activity has been fully contained for now.

In plain English: The scammers found a way to get in from the outside, using simple web-based connections, which allowed them to retrieve a customer’s private information without requiring a username or password.

T-Mobile first states what kind of data the attackers believe he did not do get, which includes payment card details, Social Security Numbers (SSNs), tax numbers, other personal identifiers such as driver’s licenses or government-issued IDs, passwords, PINs, and financial information such as bank account details.

This is the good news.

The bad news is that the scammers apparently returned on 2022-11-25 (ironically, as it happens, Black Friday, the day after Thanksgiving in the US) and they didn’t go empty-handed.

Plenty of time to loot

It appears that the attackers had enough time to extract and steal at least some of the personal data of about 37 million users, including prepaid (pay-as-you-go) and postpaid (billing overdue) customers, including name, billing address, email, phone number and date of birth. and T-Mobile account number and information such as the number of lines on the account and plan features.

Oddly enough, T-Mobile officially describes this case in the words:

[T]There is currently no evidence that the bad actor was able to hack or compromise our systems or network.

Affected customers (and possibly relevant regulators) may not consent to the 37 million stolen customer records, including in particular where you live and your birth data…

…can be waved aside as neither breach nor compromise.

T-Mobile, as you may recall, paid a whopping $500 million in 2022 to settle a breach it suffered in 2021, even though the data stolen in that incident included information like SSN and driver’s license details.

This type of personal data generally gives cybercriminals a greater opportunity for serious identity theft, such as obtaining loans in your name or masquerading as you to sign some other type of contract, than if they had “only” your contact details and date of birth.



what should be done?

It’s no use pointing out that T-Mobile customers care more than usual when trying to spot untrusted emails like phishing messages that seem to “know” they are from T-Mobile users.

After all, scammers don’t need to know which mobile carrier you’re working with in order to guess that you might be using one of the major service providers, and to scam you anyway.

Simply put, if there are any new anti-phishing precautions you’ve decided to take specifically because of this breach, we’d love to hear it…

…but these precautions are behaviors that you can also adopt anyway.

So, we’ll reiterate our usual advice, which is worth following whether or not you’re a T-Mobile customer:

  • Do not click on “useful” links in emails or other messages. Learn in advance how to navigate to the official login pages of all the online services you use. (Yes, that includes social networks!) If you already know the correct URL to use, you’ll never need to rely on links scammers may provide, whether in emails, text messages, or voice calls.
  • Think before you click. Fraudulent links are not always easy to spot, not least because even legitimate services often use dozens of different website names. But at least some, if not many, of the scams involve the kind of mistakes that the original company usually doesn’t make. As we suggest in point 1 above, try to avoid clicking at all, but if you do, don’t rush. The only thing worse than falling for a scam is then realizing that if you had taken a few extra seconds to stop and think, you would have caught the betrayal easily.
  • Report suspicious emails to your business IT team. Even if you’re a small business, make sure all your employees know where to send treacherous email samples or report suspicious phone calls (for example, you can set up a company-wide email address like cybersec911@example.com). Scammers rarely send a single phishing email to a single employee, and they rarely give up if their first attempt fails. The sooner someone sounds the alarm, the sooner you can warn others.

Do you have enough time or experience to take care of response to cyber security threats? Are you worried that cyber security will end up distracting you from all the other things you need to do? Not sure how to respond to security reports from staff genuinely eager to help?

Learn more about Sophos was able to detect and respond:
24/7 research, detection and response to threats


Leave a Comment