T-Mobile has a cybersecurity problem that, half a decade later, it still can’t handle.
The second largest wireless carrier in the country It is disclosed in an organizational file Late Thursday, the data of 37 million of its customers was stolen in a breach. Security experts say that while the data wasn’t highly sensitive, its compromise could put these people at risk of fraud or otherwise being targeted by cybercriminals.
Sound familiar? That’s because T-Mobile was already dealing with the fallout from a 2021 data breach that compromised the personal information of nearly 77 million people. T-Mobile agreed $500 million settlement in the case in July.
It marks the latest in a series of incidents dating back to 2018, and it’s a huge stain on the company that once championed the “Un-carrier” movement of holding on to consumers the wireless carrier missed. The sheer scale of the accidents makes experts wonder if staying with the carrier puts you at risk.
Chester Wisniewski, chief technology officer for applied research at security firm Sophos, noted “five breaches in five years.” “People can decide for themselves whether they want to continue using T-Mobile.”
While Verizon and AT&T have both had to deal with data compromises in recent years, they’ve been minimal compared to the problems T-Mobile has faced.
In T-Mobile’s latest compromise, cybercriminals have used the company’s Application Programming Interface, or Application Programming Interface, to tap into data associated with customer accounts. APIs are commonly used features that allow data to be transferred back and forth between different software applications.
The stolen data included customers’ names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, information on what plan features they had with the carrier, and the number of lines on their accounts.
T-Mobile on Friday declined to make an executive available for an interview or comment beyond statements it has already released.
On Thursday Securities and Exchange Commission filing And press releaseThe company attempted to downplay the value of what was stolen, stating that customers’ financial information and most of their private information, such as Social Security numbers, had not been compromised.
This is misleading, said Justin Feier, senior vice president of operations for the red team at AI security company Darktrace.
“I would argue we shouldn’t give that away,” Feier said, adding that such a vast trove of consumer profiles could be useful to everyone from nation-state hackers to criminal gangs.
“There are dozens of ways in which stolen information can be used as weapons.”
It includes SIM swap attacks, where cybercriminals contact a wireless carrier and use the stolen personal information to pass themselves off as the account holder, then request that their phone number be transferred to a new SIM card. Doing so could give them access not only to the wireless number and account, but also to any two-factor authentication codes that might come to the phone via SMS.
For this reason, Wisniewski said, it is important that consumers, especially those who have been compromised in the T-Mobile hack, do not use SMS. Two-factor authentication A way to bank, retirement, cryptocurrency and other important accounts online.
In addition, all wireless customers should make sure their accounts are secured with a PIN or passcode, which can also help stop SIM swapping, he said.
Meanwhile, Feier, who spent more than a decade working in counterterrorism before joining Darktrace, said nation-state hackers can also use data to connect the dots between people for intelligence purposes.
For the average person, there is a higher chance that they will be targeted by scammers, possibly impersonating T-Mobile, either by phone or email. Armed with key tidbits of information such as account numbers, these scammers would look more convincing, he said.
With all that in mind, Fier, a T-Mobile customer himself, said he wouldn’t lose much sleep over the hack, or change carriers. He notes that there isn’t enough information yet about exactly how the breach occurred, or whether T-Mobile was to blame.
The best thing all consumers can do is toughen up their personal security by changing their passwords, enabling two-factor authentication whenever possible, and sharing companies with their offers of free credit monitoring when violations occur.
Wisniewski was less charitable, saying that based on T-Mobile’s track record over the past several years, he’d never recommend it to them, but he noted that other wireless carriers aren’t quite perfect either.
“None of these companies are saints,” he said.