T-Mobile has a cybersecurity problem and after half a decade it still hasn’t been able to get a handle on it.
The country’s second-biggest wireless carrier said in a regulatory filing late Thursday that data from 37 million of its customers had been stolen in a breach. Security experts say that while the data wasn’t particularly sensitive, if it were compromised it could put those individuals at high risk of being scammed or otherwise targeted by cybercriminals.
Sound familiar? That’s because T-Mobile was already dealing with the aftermath of a data breach in 2021 that compromised the personal information of nearly 77 million people. T-Mobile agreed to a $500 million settlement in that case in July.
This is just the latest in a string of incidents stretching back to 2018, a massive blemish for a company that once championed the “un-carrier” movement to advocate for consumers who have been duped by the wireless company. The sheer volume of incidents has experts questioning whether staying with the airline puts you at risk.
“Five security breaches in five years,” noted Chester Wisniewski, field chief technology officer for applied research at security company Sophos. “People can decide for themselves whether they want to stay with T-Mobile.”
While both Verizon and AT&T have struggled with data breaches in recent years, they have been minimal compared to the problems T-Mobile has faced.
In the recent T-Mobile compromise, cybercriminals used a corporate API or application programming interface to remove themselves with data tied to customer accounts. APIs are commonly used functions that allow data to be transferred back and forth between different software applications.
The stolen data included customer names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and information about what plan features they have with the carrier and the number of lines on their accounts.
T-Mobile declined on Friday to make an executive available for an interview or to comment beyond what has already been said.
In its filing and press release with the Securities and Exchange Commission on Thursday, the company attempted to downplay the value of what was stolen, noting that customers’ financial information and their most sensitive information, such as social security numbers, were not compromised.
That’s misleading, said Justin Fier, senior vice president of red team operations at AI security firm Darktrace.
“I would argue that we shouldn’t dumb it down,” Fier said, adding that such a vast trove of consumer profiles could be of use to anyone from nation-state hackers to criminal syndicates.
“There are dozens of ways to weaponize the stolen information.”
These include SIM swapping attacks, where cybercriminals contact a wireless service provider and use stolen personal information to pose as the account holder, and then demand that their phone number be transferred to a new SIM card. This would allow them not only to access the cell phone number and account, but also any two-factor authentication codes that might be sent to the phone via SMS.
For this reason, Wisniewski said, it’s important that consumers, particularly those compromised by the T-Mobile vulnerability, don’t use SMS as a two-factor authentication method for banking, pension, cryptocurrency, and other critical online use accounts.
Additionally, all cellphone customers should ensure their accounts are secured with a PIN or passcode, which can also help stop SIM card swaps, he said.
Meanwhile, Fier, who worked in counterterrorism for more than a decade before joining Darktrace, said nation-state hackers could also use the data to connect the dots between people for intelligence purposes.
The more average person is more likely to be targeted by scammers who may impersonate T-Mobile over the phone or email. Armed with important tidbits like bank account numbers, these scammers will sound a lot more convincing, he said.
With all of that in mind, Fier, himself a T-Mobile customer, said he won’t lose much sleep or switch carriers because of the injury. He notes that there isn’t enough information yet on exactly how the breach happened or whether T-Mobile is to blame.
The best all consumers can do is increase their personal security by changing their passwords, enabling two-factor authentication whenever possible, and resorting to their free credit monitoring offerings when breaches occur.
Wisniewski was less charitable, saying he would never recommend them given T-Mobile’s track record over the past few years, but he noted that the other wireless carriers aren’t exactly perfect either.
“None of these companies are saints,” he said.