Update: On Wednesday, T-Mobile confirmed many of the details of the attack, including the theft of names, dates of birth, social security numbers, and driver’s license information. The company’s initial estimates show that the attack affects roughly 7.8 million postpaid customers and 40 million “former or prospective” customers who had applied for credit with T-Mobile.
For most of those people, T-Mobile notes that the attack didn’t compromise phone numbers, account numbers, PINs, passwords, or financial information. However, the company has identified roughly 850,000 prepaid T-Mobile customers whose phone numbers and PINs were exposed. The company has already reset PINs in those cases.
As for the next steps, T-Mobile says customers should call 611 and change their account PINs as a proactive measure. T-Mobile will also offer two years of free identity theft protection, and will compile more information on what customers can do on a web page later today.
Over the weekend, Motherboard’s Joseph Cox reported on the potentially major T-Mobile data breach involving the personal information of more than 100 million people.
The hacker who claims to have taken this information is now looking to sell it online. It reportedly includes names, social security numbers, phone numbers, mailing addresses, driver’s license information, and the IMEI numbers associated with customers’ devices. Cox wrote that he’s seen samples of the data and confirmed that it lines up with information about T-Mobile customers.
On Monday, the self-proclaimed Un-Carrier confirmed that “unauthorized access to some T-Mobile data occurred,” but the company hadn’t determined for itself whether any personal information is involved. Reached for comment on Tuesday, T-Mobile pointed to its existing press statement from a day earlier.
“This investigation will take some time but we are working with the highest degree of urgency,” the statement says. “Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.”
If you’re a T-Mobile customer, keep a few things in mind:
This isn’t T-Mobile’s first big data breach. In 2015, hackers gained access to the personal data of 15 million T-Mobile customers by targeting Experian, which handled the carrier’s credit applications. That breach also involved social security numbers, driver’s license IDs, and other personal data. Both T-Mobile and Sprint have suffered several smaller breaches since then.
Your data may be floating around already. Not to be overly fatalist about security breaches, but recall that in 2017, a hack of the credit bureau Equifax exposed the social security numbers, birthdays, and other personal details of roughly 143 million U.S. consumers.
You should always be vigilant. Regardless of what happens with T-Mobile, you should operate under the assumption that scammers can use your personal data against you, whether it’s through phishing schemes or attempted identity theft. Treat unsolicited emails or phone calls with caution, keep an eye on your financial accounts, and consider credit freezes or credit monitoring. And if you haven’t taken any precautions against SIM swapping, it’s the ideal time to do so.
This story has been updated to reflect new information from T-Mobile.