T-Mobile Discloses Startling Security Breach Exposing Private Data Of 37M Customers
Yesterday, T-Mobile, one of the big three mobile internet service providers in the US, announced that it recently fell victim to a data breach. The company disclosed this information in both a news release and a filing with the Securities and Exchange Commission (SEC). However, the news release skips over important details revealed in the regulatory filing.
According to the news release, a threat actor managed to access T-Mobile customer information by way of an Application Programming Interface (API). Within 24 hours of discovering this issue, T-Mobile closed off the method of unauthorized access. What the news release does not reveal is that the company discovered the data breach over a month after the threat actor first gained unauthorized access to a customer database and began exfiltrating information.
T-Mobile’s regulatory filing states that the threat actor seems to have “first retrieved data through the impacted API starting on or around November 25, 2022.” It wasn’t then until January 5, 2023, that the company became aware of the data theft. By the time T-Mobile secured the relevant API, the threat actor had stolen information relating to approximately 37 million customers, which is another detail not disclosed in the news release.
In the news release, T-Mobile tries reassuring impacted customers by stating that the only information stolen was “[s]ome basic customer information (nearly all of which is the type widely available in marketing databases or directories).” This information includes names, billing addresses, email addresses, phone numbers, dates of birth, account numbers, and account information “such as the number of lines on the account and service plan features.” The company makes clear that “No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.”
We have yet to see whether the stolen information will be listed for sale online, but it will likely show up somewhere. T-Mobile suffered a data breach in 2021 that exposed over 47 million customers’ personal information. Threat actors then sold this information on RaidForums, which was an online criminal marketplace. However, we didn’t learn until almost a year later, after law enforcement authorities seized RaidForums and arrested its founder, that T-Mobile tried buying back the stolen data through an intermediary. The seller promised to destroy his copy of the data upon being paid $200,000 in Bitcoin, but, after receiving the money, the seller continued selling the database to other actors. Then, in July of last year, T-Mobile agreed to pay its customers a total of $350 million and spend $150 million on increased security in a settlement over a class action lawsuit related to this stolen information.
The now-defunct hacking group LAPSUS$ also compromised T-Mobile’s systems in 2022, leveraging its unauthorized access to perform SIM swap attacks and download 38,588 of the company’s internal code repositories. T-Mobile suffered breaches in 2020, 2019, and 2018 as well, making 2023 the sixth year in a row that T-Mobile has undergone a security breach.
According to the news release, a threat actor managed to access T-Mobile customer information by way of an Application Programming Interface (API). Within 24 hours of discovering this issue, T-Mobile closed off the method of unauthorized access. What the news release does not reveal is that the company discovered the data breach over a month after the threat actor first gained unauthorized access to a customer database and began exfiltrating information.
T-Mobile’s regulatory filing states that the threat actor seems to have “first retrieved data through the impacted API starting on or around November 25, 2022.” It wasn’t then until January 5, 2023, that the company became aware of the data theft. By the time T-Mobile secured the relevant API, the threat actor had stolen information relating to approximately 37 million customers, which is another detail not disclosed in the news release.
In the news release, T-Mobile tries reassuring impacted customers by stating that the only information stolen was “[s]ome basic customer information (nearly all of which is the type widely available in marketing databases or directories).” This information includes names, billing addresses, email addresses, phone numbers, dates of birth, account numbers, and account information “such as the number of lines on the account and service plan features.” The company makes clear that “No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.”
We have yet to see whether the stolen information will be listed for sale online, but it will likely show up somewhere. T-Mobile suffered a data breach in 2021 that exposed over 47 million customers’ personal information. Threat actors then sold this information on RaidForums, which was an online criminal marketplace. However, we didn’t learn until almost a year later, after law enforcement authorities seized RaidForums and arrested its founder, that T-Mobile tried buying back the stolen data through an intermediary. The seller promised to destroy his copy of the data upon being paid $200,000 in Bitcoin, but, after receiving the money, the seller continued selling the database to other actors. Then, in July of last year, T-Mobile agreed to pay its customers a total of $350 million and spend $150 million on increased security in a settlement over a class action lawsuit related to this stolen information.
The now-defunct hacking group LAPSUS$ also compromised T-Mobile’s systems in 2022, leveraging its unauthorized access to perform SIM swap attacks and download 38,588 of the company’s internal code repositories. T-Mobile suffered breaches in 2020, 2019, and 2018 as well, making 2023 the sixth year in a row that T-Mobile has undergone a security breach.
