The incident is the fourth known breach at T-Mobile since 2018, and by far the largest. The full count of how many customers had their data stolen is unclear, but the company said last week it had identified more than 53 million affected customers, most of them on subscription plans. It also included an unspecified number of “prospective” users who are not T-Mobile customers…
It is unclear why T-Mobile was storing customers’ driver’s license information and Social Security numbers without encrypting them in a way that would make it difficult or impossible for hackers to see them even if they stole them. Jackie Singh, a cybersecurity consultant, said it was irresponsible on the part of T-Mobile, especially for hard-to-change sensitive personal data like Social Security numbers.
“It is frankly bizarre to learn that in this day and age, a major telco continues to store critical customer data in plain text,” she said. “Offering two years of credit monitoring services doesn’t change the fact that harm was done to their customer base.”
NBC says they spoke to the person identified as the perpetrator by the Wall Street Journal, who told them last week that he’d planned to sell the information on more than 100 million users for a hefty profit.
Meanwhile, T-Mobile’s CEO now says they’re alerting affected users and have set up a hub for victim services. Beneath the words “NOTICE OF DATA BREACH,” it adds the tagline “Keeping you safe from cybersecurity threats. What you need to know and how we’re protecting you.”