Telecommunications giant T-Mobile has warned that information including names, dates of birth, US Social Security numbers (SSNs), and driver’s license/ID of almost 50 million individuals comprising current, former, or prospective customers has been exposed via a data breach. While many details of the incident (including its root cause) remain unclear as of August 19, immediate fallout suggests this incident might be one of the most significant of recent times, not least due to the number of records exposed and potential regulatory implications that may come into play.
With the dust still very much settling, here is a timeline of the data breach according to T-Mobile’s public disclosure and other sources. CSO will update this timeline as events unfold.
T-Mobile breach timeline
Sunday, August 15: Hackers claim to be selling 100 million stolen T-Mobile records on cybercrime forum
News broke on Vice.com of hackers claiming to have accessed data relating to over 100 million people, which they were offering sale. While the underground forum post did not mention T-Mobile specifically, a message to Motherboard confirmed that the information came from T-Mobile servers and included SSNs, phone numbers, names, physical addresses, International Mobile Equipment Identity (IMEI) numbers, and driver’s license information. Motherboard confirmed this to be accurate.
The seller was asking for 6 bitcoin (around $270,000) for a subset of the data containing 30 million SSNs and driver’s licenses and said that they were looking to sell the remaining information privately. In a statement to Motherboard, T-Mobile said: “We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time.”
Monday, August 16: T-Mobile confirms data breach and begins technical review of the incident
With news of the incident making headlines around the globe, T-Mobile issued a statement confirming that unauthorized access to some T-Mobile data had occurred, though investigations were yet to determine if any personal customer information was involved. “We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed. We take the protection of our customers very seriously and we are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement.”
The company said it was confident that the entry point used to gain access had been closed, and that it was continuing its deep technical review of the situation across systems to identify the nature of any data that was illegally accessed. “This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment, we cannot confirm the reported number of records affected or the validity of statements made by others,” the statement read.
Tuesday, August 17: T-Mobile says data breach affected approximately 7.8 million current customers and 40 million records of former or prospective customers. Company takes steps to help protect individuals at risk from cyberattack
T-Mobile issued an update on its ongoing investigation into the breach, including estimations of individuals affected and remediation steps it was taking. “Late last week we were informed of claims made in an online forum that a bad actor had compromised T-Mobile systems. We immediately began an exhaustive investigation into these claims and brought in world-leading cybersecurity experts to help with our assessment.”
T-Mobile said it located and immediately closed the access point it believed was used to illegally gain entry to its servers, and while its investigation was still underway, it confirmed that the data stolen included some personal information. “We have no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information,” it said. “Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpaid customers and prospective T-Mobile customers.” The company also confirmed that approximately 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were exposed.
T-Mobile said it would be issuing communications to advise customers on next steps and recommended action to avoid falling victim to follow-on attacks. This included the offer of two years of free identity protection services and advice that all T-Mobile postpaid customers should change their PIN. “This precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised,” it added. T-Mobile also offered an extra step to protect mobile accounts with its Account Takeover Protection capabilities for postpaid customers and said it would be publishing a unique webpage for information and solutions to help customers take steps to further protect themselves.
Wednesday, August 18: Security researcher Brian Krebs advises customers to follow T-Mobile advice and warns of follow-on phishing attacks
Security researcher Brian Krebs advised T-Mobile customers to change their PIN as instructed by T-Mobile, but also advocated removing phone numbers from as many online accounts as possible. “Many online services require you to provide a phone number upon registering an account, but in many cases that number can be removed from your profile afterwards.” Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this widespread practice has turned mobile phone numbers into de facto identity documents, he added. This creates the possibility of losing control over phone numbers “thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.”
Krebs also warned customers to be on the lookout for related phishing attacks, adding that it is a safe bet that scammers will use some of the exposed information to target T-Mobile users with phishing messages, account takeovers, and harassment. “T-Mobile customers should expect to see phishers taking advantage of public concern over the breach to impersonate the company — and possibly even messages that include the recipient’s compromised account details to make the communications look more legitimate.”