T-Mobile TMUS -0.60% US Inc. said hackers took the Social Security numbers and other personal information of more than 40 million current and prospective customers, a brazen heist that could give criminals the digital keys to commit widespread online fraud.
The cellphone carrier said the stolen data included first and last names, birth dates, Social Security numbers and driver’s license information. The victims included people who applied for credit with T-Mobile—regardless of whether they ended up doing business with the carrier—and about 7.8 million current subscribers with postpaid plans.
Investigators say that stolen data has already been offered for sale in online forums and could eventually be used to commit fraud such as identity theft and SIM swapping—a form of identity theft in which hackers seize control of a victim’s mobile phone number.
“It’s probably the biggest gift to SIM-swappers they’ve received in years,’ said Allison Nixon, chief research officer at cyber services company Unit 221B. “The typical life cycle of these databases is first they start off in the hands of the very few, but it will spread because people share data,” she said. “All of these hacked databases eventually go public.”
In online forums and private communications hackers are selling different sets of data linked to the breach, asking between $80,000 and 6 bitcoin ($270,000 at Wednesday’s exchange rates) for access to the information, said Gene Yoo, chief executive of cybersecurity firm Resecurity Inc.
The breach is among the larger thefts of Social Security numbers, though leaks from various companies in recent years have exposed such data on tens of millions of consumers. A 2017 intrusion at Equifax Inc. exposed about 143 million Americans’ personal information, including names, addresses, birth dates and Social Security numbers.
T-Mobile opened an online portal with information for potential victims Wednesday and began to notify individual customers by text and email.
A Federal Bureau of Investigation spokeswoman had no immediate comment about the incident. A spokeswoman for the Federal Communications Commission said the telecom regulator had opened an investigation into the matter.
T-Mobile said the breach also exposed the names, phone numbers and account PINs, or personal identification numbers, of about 850,000 of its customers on prepaid plans, which don’t require a credit check. Subscribers using the Metro by T-Mobile, legacy Sprint and Boost Mobile brands weren’t part of that group.
The company didn’t disclose the extent to which the various victim groups overlapped. Some of the 40 million people who lost their personal credit details might have been included among the count of users with postpaid plans, which often require a Social Security number or other information to set up an account.
The admission is the latest setback for T-Mobile, which disclosed the breach earlier this week in response to reports of its customer information for sale on a hacker forum. Vice’s Motherboard tech site earlier reported on the breach.
The company said early Wednesday that it had reset the PIN codes of all the affected prepaid accounts and recommended that postpaid users do the same.
The carrier said it would offer two years of free identity-protection services from security firm McAfee.
T-Mobile said it found and closed an access point used to break into its servers. The company called the intrusion a “highly sophisticated cyberattack,” but offered few details about how it worked and when its security team discovered the lapse.
A person who tweeted about the attack before it was public and claimed to know the attacker described a breach that relied on lax security measures more than insider know-how or buggy code. This person said the attacker used an unprotected network gateway to reach the company’s backup servers, which stored unencrypted details on customers going back to the mid-1990s.
A sample of the stolen data set posted online included names, addresses and serial numbers that identify a user’s unique device and subscriber identity module, or SIM. Attackers could use the last data point to steal a victim’s phone number, a tactic known as a SIM swap that is often used as a launchpad for other fraud.
The leaked serial numbers, if accurate, could be a gold mine for attackers searching for easy targets, according to Ravishankar Borgaonkar, a senior research scientist at the Norwegian research institute Sintef.
“An attacker just needs to make calls to customer care with the leaked information,” he said, adding that attackers usually spend hours or days trawling several leaked databases to build profiles of their targets. “This database saves time.”
A T-Mobile spokeswoman on Wednesday said the company had disclosed all the information it had about the attack’s effect on customers.
The database breach appears to be the company’s largest so far. A unit of credit-reporting company Experian PLC leaked information about roughly 15 million T-Mobile subscribers in 2015, including encrypted Social Security numbers. Two more attacks in 2020 affected smaller groups of T-Mobile’s subscriber base.
Write to Drew FitzGerald at [email protected] and Robert McMillan at [email protected]
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
