New T-Mobile breach affects 37 million accounts – Krebs on Security

T-Mobile Today it disclosed a data breach affecting tens of millions of customer accounts, the second largest data exposure in several years. In filing with federal regulators, T-Mobile said the investigation determined someone misused its systems to collect subscriber data associated with about 37 million existing customer accounts.

Photo: customink.com

in deposit today with the US Securities and Exchange CommissionT-Mobile said a “bad actor” abused its application programming interface (API) to collect data on approximately 37 million existing postpaid and prepaid customer accounts. The stolen data included the customer’s name, billing address, email, phone number, date of birth, and T-Mobile account number, as well as information on the number of customer lines and plan features.

APIs are basically instructions that allow applications to access data and interact with web databases. But if these APIs are left improperly secured, they can be taken advantage of by malicious actors to collect information stored at large scale in those databases. In October, the mobile provider optus It revealed that hackers abused a poorly secured API to steal data on 10 million customers in Australia.

The company said it first became aware of the incident on January 5, 2022, and that an investigation determined that the bad actor began abusing the API beginning on November 25, 2022.

T-Mobile says it is in the process of notifying affected customers, and that no customer payment card data, passwords, Social Security numbers, driver’s license or other government identification numbers were disclosed.

In August 2021, T-Mobile acknowledged that hackers stole the names, birth dates, Social Security numbers, and driver’s license/identity information of more than 40 million current, former, or potential customers who had applied for credit with the company. This breach came to light after that A hacker started selling records on a cybercrime forum.

Last year, T-Mobile agreed to pay $500 million to settle all class action lawsuits arising from a breach in 2021. The company has pledged to spend $150 million of that money to bolster its cybersecurity.

In its filing with the Securities and Exchange Commission, T-Mobile suggested it would take years to fully realize the benefits of cybersecurity improvements, even as it claimed that protecting customer data remains a top priority.

As previously mentioned, in 2021, we began a significant multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity, as stated in the filing. “We’ve made great progress to date, and protecting our customers’ data remains a top priority.”

Although this is the second major customer data leak in as many years, T-Mobile told the Securities and Exchange Commission that the company does not expect this latest breach to have a material impact on its operations.

While this may sound like a bold thing to say in revealing a data breach affecting a large portion of your active customer base, keep in mind that T-Mobile mentioned yields Almost $20 billion in the third quarter of 2022 alone. In this context, a few hundred million dollars every two years for a class action lawyer to shell out is a drop in the bucket.

The 2021 breach settlement says T-Mobile will provide $350 million to customers who file a claim. But here’s the rub: If you were affected by the 2021 breach and you haven’t Filed a lawsuit yetPlease note that you only have three days to do so.

If you are a T-Mobile customer affected by the 2021 incident, T-Mobile has likely already made several efforts to notify you of your eligibility to file a claim, which includes a minimum payout of $25, with the potential for more for those who can document direct costs associated with the breach. . OpenClassActions.com He says the application deadline is January 23, 2023.

“If you choose a Pay in cash You will receive an estimated $25.00,” the website explains. “If you reside in California, you will receive an estimated $100.00. Out-of-pocket losses up to $25,000.00 can be compensated. The amount you claim from T-Mobile will be determined by the class action administrator based on the number of people who submit a valid and timely claim form.”

There are currently no signs of hackers selling T-Mobile’s latest data transfer, however If the past is any teacher, plenty of it will soon be posted online. It’s a safe bet that scammers will use some of this information to target T-Mobile users with phishing emails, account takeovers, and harassment.

T-Mobile customers can fully expect to see scammers exploit public concern about the breach to impersonate the company — possibly even sending messages with compromised recipient account details to make communications appear more legitimate.

The stolen and exposed data in this breach can also be used for identity theft. Credit monitoring and identity theft protection services can help you recover from identity theft, but most will do nothing to stop identity theft. If you want maximum control over who should be able to offer you credit or grant new lines of credit in your name, then Security freeze It is your best choice.

Regardless of which mobile service provider you sponsor, please consider removing your phone number from as many online accounts as possible. Many online services require that you provide a phone number when registering an account, but in many cases that number can be removed from your profile afterward.

Why do I suggest this? Many online services allow users to reset their passwords just by clicking on a link sent via SMS, this is unfortunately a widespread practice Turn cell phone numbers into de facto identity documents. Which means losing control of your phone number thanks to a Unauthorized SIM card swapping or mobile phone number removalDivorce, job termination, or financial crisis can be devastating.