T-Mobile Data Breach

It’s a big one:

As first reported by Motherboard on Sunday, someone on the dark web claims to have obtained the data of 100 million from T-Mobile’s servers and is selling a portion of it on an underground forum for 6 bitcoin, about $280,000. The trove includes not only names, phone numbers, and physical addresses but also more sensitive data like social security numbers, driver’s license information, and IMEI numbers, unique identifiers tied to each mobile device. Motherboard confirmed that samples of the data “contained accurate information on T-Mobile customers.”

Posted on August 19, 2021 at 6:17 AM17 Comments

Comments

anonymous August 19, 2021 9:34 AM

“contained accurate information on T-Mobile customers.”

And former T-Mobile customers, apparently back to the 1990s.

anonymous August 19, 2021 9:35 AM

“contained accurate information on T-Mobile customers.”

And former T-Mobile customers, apparently back to the 1990s.

And even some prospective T-Mobile customers.

SocraticGadfly August 19, 2021 9:36 AM

Sprint user, part of its merger with T-Mobile. I apparently have not been hacked, but … twice before this, and once after I got them to check, T-Mobile’s been aggressive on saying “switch your SIM card.” Why?

wiredog August 19, 2021 10:00 AM

The heck of it is I can’t think of anything that isn’t already out there, at least for me.

Etienne August 19, 2021 10:43 AM

Social Security should take steps to fine companies that cause the release of its proprietary identification numbers.

I’m talking billion dollar fines.

Second, the Social Security Administration should enter the 21st Century and begin issuing smart cards to all recipients. Said smart cards would use public key cryptography, biometrics (fingerprint), and PIN numbers. a la military ID smart cards.

Retire the insecure number system.

mexaly August 19, 2021 12:42 PM

If someone would just dump a directory of social security numbers, it would stop them being used as passwords, once and for all.
Just dump the whole list on the internet.

Max Entropy August 19, 2021 5:35 PM

What justification or (say, Federal) requirement does a telecom have for even requesting someone’s SSN? Sure it makes bill collection easier, but that seems like an excuse and not an operating principle.

gg August 19, 2021 10:46 PM

@Max Entropy, most carriers do a credit check, if you want to open a post-paid account. That’s why they ask for your social security number. Of course there’s. no good reason they have to keep and store the information after they’ve done the credit check. Other services like the gas company do this too.

Terry Cloth August 20, 2021 8:04 AM

FWIW, I bought a prepaid Tracfone. When the clerk asked for PII, I started to make it up, but then he found he could leave it all blank and the activation would go through, anyway.

SpaceLifeForm August 20, 2021 4:10 PM

@ SocraticGadfly

They may be trying to tell you something.

hxtps://www.theguardian.com/us-news/2015/feb/19/nsa-gchq-sim-card-billions-cellphones-hacking

SpaceLifeForm August 20, 2021 4:22 PM

Dump merge or stupid users?

There is no reason for Drivers License to be included. There are many phone users that have no Drivers License because they have no car, nor can afford one.

Dean August 20, 2021 6:40 PM

@SpaceLifeForm – Drivers licenses are often used for identification when picking up a phone from T-Mobile. They need some way of confirming that the person is allowed to pick up the phone. That said, there is absolutely no reason for companies to be storing this information.

@Bruce – What is interesting here is that no financial information was breached. That’s likely because of the PCI Compliance that companies have to adhere to when dealing with payment gateways and credit card companies. While those aren’t law, companies will lose access to these facilities if they don’t adhere. So there is a capability for companies like T-Mobile to protect data, the will just isn’t there because the consequences for not protecting the data isn’t severe enough.

Clive Robinson August 20, 2021 10:57 PM

@ Dean, Bruce, ALL,

That’s likely because of the PCI Compliance that companies have to adhere to when dealing with payment gateways and credit card companies. While those aren’t law, companies will lose access to these facilities if they don’t adhere.

Partially true, but there is rather more to it than that. Because the real reason is more down to with the “when, what, and how” of the regulating entity’s actions.

Compare the Government based legal/regulatory process and it’s outcome, and the Payment Card Industries(PCI) process and it’s outcome.

The legal/regulatory process is,

Very slow, mostly non interfering with core business, can be negotiated/appealed for a very long period of time with absolutly no change to the business, and results in a comparatively small fine (see the effect the EU GDPR had with just a real increase in fine size).

Whilst the PCI process is,

Very fast, shuts the business down, is hard to negotiate/appeal without change and reaults in at best a significant cost in business transactions making the company less profitable if not bankrupt in short order.

From a senior manager on bonus and the like, the Government action costs them personally next to nothing. The business is likely not effected in any meaningfull manner and the manager might actually have a boost in their income. The eventual fines will in all probability be relatively small to non existant. Because they will be treated as just another cost of doing business and deductable business costs at that. So whilst looking good on paper for a Government entity, such a fine will in reality have little or no real effect.

However the PCI action stops the business “dead in the water” very rapidly. Because as paymants can not be processed the business quite literally “stops dead” and has all the running costs but no income. The effective closing of the business will have significant costs in customer confidence thus brand name. Like having a “fire” it’s not at all certain the business will recover.

You can see why Government action brings little fear to a large technology or telecommunications corporation they have likely prepared for it, and may almost certainly have a business plan ready to go, with PR campaign etc already scripted etc.

However having the money flow, which is the life blood of many of these corporations “turned off” like a tap is a major fear as is the major loss in customer confidence.

Look at it this way, why should a corporation worry about a paper-cut from a Government legislator / regulator in the far future, when another corporation has the equivalent of a knife up against the jugular and would be happy to cut more than a little if it does not get what it wants as it would keep others in line?

It should tell legislators that the way to bring these corporations to heal as and when required, is not by protracted court cases and effectively inconsequential fines. But by freezing their money supply / transactions so “income stops” but “costs continue”, just as it does with ordinary human suspects who are held pending bail etc who can not work or otherwise meet their bills.

There is a “legal nicety” that corporations are equivalent to individual humans. They are clearly not when it comes to crime and punishment, thus addressing this so corporations do get treated a little more like humans might make them behave a little more like ordinary humans. You never know till you try, and I can think of a few big “brand names” that could be experimented on with little real harm…

echo August 23, 2021 9:23 AM

@Clive

Look at it this way, why should a corporation worry about a paper-cut from a Government legislator / regulator in the far future, when another corporation has the equivalent of a knife up against the jugular and would be happy to cut more than a little if it does not get what it wants as it would keep others in line?

It should tell legislators that the way to bring these corporations to heal as and when required, is not by protracted court cases and effectively inconsequential fines. But by freezing their money supply / transactions so “income stops” but “costs continue”, just as it does with ordinary human suspects who are held pending bail etc who can not work or otherwise meet their bills.

There is a “legal nicety” that corporations are equivalent to individual humans. They are clearly not when it comes to crime and punishment, thus addressing this so corporations do get treated a little more like humans might make them behave a little more like ordinary humans. You never know till you try, and I can think of a few big “brand names” that could be experimented on with little real harm…

You’re not putting enough effort into improving regulation but blindly handing power to unaccountable corporations to create yet more corporate made law. This is a mechanism which is already being unlawfully abused as in commented the other year. Not only does it unlawfully prevent women from buying medical products over the internet but it has also over the past week caused a big stink with the (mostly male) business OnlyFans building itself into a billion dollar company by exploiting women on a nod and a wink before pulling the rug due to Mastercard using lose language in its T&C’s. OnlyFans is pointing the finger at Mastercard. Mastercard say they made no such statements. Who to believe? Meanwhile OnlyFans with it’s new “clean” image is gearing up for an IPO. A coincidence, I’m sure. This has put many thousands of women who depend on OnlyFans as a source of income to put food on the table in the lurch.

There are substantial far right links with people pushing to close OnlyFans and other similar kinds of outlets down as well as introduce the so called “Nordic model” in spite of pretty much every mainstream women’s advocacy and human rights NGO opposing this as the data very clearly shows it creates more harm as well as stripping women of self-autonomy which is the agenda of the far right.

You will also note that America’s abuse of the international finance system can and has been used to push sanctions or punish third parties like the European Union as well as add behind the scenes pressure during trade negotiations.

fedos August 23, 2021 1:27 PM

So far the only communication that I’ve received from T-Mobile is a message telling me about the breach and, without a hint of irony, a link to an article about how to protect your personal information.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.