T-Mobile has a cybersecurity problem and, after half a decade, still hasn’t been able to get a handle on it.
The nation’s second-largest wireless carrier disclosed in a regulatory filing late Thursday that data from 37 million of its customers was stolen in a breach. Security experts say that while the data wasn’t extremely sensitive, its compromise could put those people at high risk of being scammed or otherwise targeted by cybercriminals.
Sound familiar? That’s because T-Mobile was already dealing with the fallout from a 2021 data breach that compromised the personal information of nearly 77 million people. T-Mobile agreed to a $500 million settlement in that case in July.
This marks just the latest in a string of incidents going back to 2018, a massive stain on a company that once championed the “Un-carrier” movement of sticking up for consumers screwed by the wireless company. The sheer volume of incidents has experts questioning whether staying with the carrier puts you at risk.
“Five breaches in five years,” noted Chester Wisniewski, field chief technology officer for applied research at security company Sophos. “People can decide for themselves if they want to stick with T-Mobile.”
While both Verizon and AT&T have had to deal with data compromises in recent years, they’ve been minimal compared with the problems T-Mobile has faced.
In T-Mobile’s most recent compromise, cybercriminals used a company API, or application programming interface, to make off with data tied to the customer accounts. APIs are commonly used features that allow the transfer of data back and forth between different software applications.
The stolen data included customer names, billing addresses, email addresses, phone numbers, birth dates, T-Mobile account numbers and information on which plan features they have with the carrier and the number of lines on their accounts.
T-Mobile declined on Friday to make an executive available for an interview or to comment beyond the statements it’s already issued.
In its Thursday Securities and Exchange Commission filing and press release, the company tried to downplay the value of what was stolen, noting that customers’ financial information and their most private information, such as Social Security numbers, weren’t compromised.
That’s misleading, said Justin Fier, senior vice president for red team operations at the AI security company Darktrace.
“I would argue that we should not dumb that down,” Fier said, adding that such a massive treasure trove of consumer profiles could be of use to everyone from nation-state hackers to criminal syndicates.
“There are dozens of ways that the information that was stolen could be weaponized.”
That includes SIM swapping attacks, where cybercriminals contact a wireless carrier and use stolen personal information to pass themselves off as an account holder, then they ask that their phone number be transferred to a new SIM card. Doing that could give them access to not only the wireless number and account, but also any two-factor authentication codes that might come to the phone via SMS.
That’s why, Wisniewski said, it’s important that consumers, especially those compromised in the T-Mobile breach, not use SMS as a two-factor authentication method for bank, retirement, cryptocurrency and other critical online accounts.
In addition, all wireless customers should make sure that their accounts are secured with a PIN or passcode, which also can help stop SIM swaps, he said.
Meanwhile, Fier, who spent more than a decade working in counterterrorism before joining Darktrace, said nation-state hackers could also use the data to connect the dots between people for intelligence purposes.
For the more average person, there’s a bigger possibility they’ll be targeted by scammers, possibly impersonating T-Mobile, either by phone or email. Armed with key tidbits of information like account numbers, those scammers will sound much more convincing, he said.
Taking all of that into account, Fier, a T-Mobile customer himself, said he’s not going to lose a lot of sleep over the breach, or change carriers. He notes that there just isn’t enough information out there as of yet about exactly how the breach occurred, or whether T-Mobile is to blame.
The best thing all consumers can do is tighten up their personal security by changing their passwords, enabling two-factor authentication whenever possible and taking up companies on their offers of free credit monitoring when breaches do happen.
Wisniewski was less charitable, saying that based on T-Mobile’s track record over the past several years he’d never recommend them, but he noted that the other wireless carriers aren’t exactly perfect, either.
“None of these companies are saints,” he said.