T-Mobile Discloses Second Data Breach of 2023, Affecting 836 Customers
IT Services has learned that T-Mobile recently disclosed its second data breach of the year. Attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023. This incident affected only 836 customers, compared to the previous data breach that impacted 37 million people. Although the number of affected individuals is significantly smaller, the amount of exposed information is highly extensive and exposes those individuals to identity theft and phishing attacks.
T-Mobile stated that “in March 2023, the measures we have in place to alert us to unauthorized activity worked as designed and we were able to determine that a bad actor gained access to limited information from a small number of T-Mobile accounts between late February and March 2023.” The company sent data breach notification letters to affected individuals just before the weekend on Friday, April 28, 2023.
The threat actors did not gain access to call records or affected individuals’ personal financial account information. However, the exposed personally identifiable information contains more than enough data for identity theft. The exposed information varied for each of the affected customers and could include full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines.
After detecting the security breach, T-Mobile proactively reset account PINs for impacted customers and now offers them two years of free credit monitoring and identity theft detection services through Transunion myTrueIdentity.
T-Mobile previously disclosed a data breach on January 19, 2023, where attackers stole the personal information of 37 million customers by abusing a vulnerable Application Programming Interface (API) in November 2022. The mobile carrier spotted the threat actors’ malicious activity on January 5 and cut off their access to its systems within 24 hours. The data stolen in the January breach was “basic customer information,” including name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features.
Since 2018, T-Mobile has disclosed seven other data breaches, including one that exposed the information of roughly 3% of all T-Mobile customers.
What T-Mobile is Doing About It
After detecting the breach, T-Mobile proactively reset account PINs for impacted customers and now offers them two years of free credit monitoring and identity theft detection services through Transunion myTrueIdentity.
A T-Mobile spokesperson stated, “We notified a small number of customers that our systems and processes worked to detect and stop a bad actor who was accessing accounts using compromised credentials. No personal financial account information or call records were included. We take these issues seriously and have taken steps to proactively protect the impacted customer accounts and to help prevent recurrence. We’ll continue to investigate what occurred to expand the safeguards we have in place.”