T-Mobile Confirms Major Hack, Social Security Numbers And Drivers License Data Exposed

from the here-we-go-again dept

Earlier this week reports emerged that T-Mobile was investigating a massive hack of the company’s internal systems, resulting in hackers gaining access to a massive trove of consumer information they were selling access to in underground forums. Initial estimates were that the personal details of 100 million customers had been accessed (aka all T-Mobile customers). After maintaining radio silence as it investigated the hack, T-Mobile has since released a statement detailing the scale of the intrusion. In short, it was smaller than initial claims, but still massive and terrible:

“Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts? information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.”

While T-Mobile notes that none of the PINS used by former or prospective postpaid (billed regularly month to month) customers were accessed, T-Mobile does note that 850,000 active T-Mobile prepaid customers had their names, phone numbers and account PINs exposed. Many others had their social security numbers, drivers license/ID information, and other data exposed:

“Some of the data accessed did include customers? first and last names, date of birth, SSN, and driver?s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.”

While it’s understood why T-Mobile would collect some of this data during a credit check, it’s not clear exactly why it needed to keep this data after the credit check is complete. This, again, is the kind of stuff you could tackle with a basic US privacy law with meaningful penalties for companies that keep getting hacked. For T-Mobile customers I think this is maybe the fifth or sixth time the company has been hacked since 2018. You have to think clear, basic, and consistently enforced federal guidelines and penalties would incentivize companies to not over-collect data and properly secure their systems.

Instead we stand around, shrug, complain that it’s impossible or too hard to have competent governance on this subject, and nothing changes. And when consumers then get hacked (again), the best they get are platitudes like “free credit reporting,” which prove utterly useless given they’ve received “free credit reporting” the last 75 times their data wasn’t properly secured.

It’s not clear how many of these kinds of repeated scandals we need to see before the federal government crafts some basic, competent guard rails, but it’s abundantly clear that, thanks to a broad cross-industry coalition of lobbyists with near-unlimited budgets, it’s not going to be anytime soon.

Filed Under: , , ,
Companies: t-mobile

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “T-Mobile Confirms Major Hack, Social Security Numbers And Drivers License Data Exposed”

Subscribe: RSS Leave a comment
11 Comments
That Anonymous Cowardsays:

"You have to think clear, basic, and consistently enforced federal guidelines and penalties would incentivize companies to not over-collect data and properly secure their systems."

side eyes the NSA

The main difference is I’m willing to bet on top of the nice contributions to keep elected leaders from passing laws to demand the most basic protections keep them looking away.

Anyone want to take bets that no member of Congress has to deal with the same nightmares we do when their data gets leaked in these things? That magically 1 phone call makes all of the problems for them vanish, so they just assume everyone else gets the same treatment (or thats their story & they are sticking with it because playing stupid works out so well).

James Burkhardtsays:

Re: Re:

That magically 1 phone call makes all of the problems for them vanish, so they just assume everyone else gets the same treatment (or thats their story & they are sticking with it because playing stupid works out so well).

You can’t fix the loss of PID with a phone call. Though they probably can get a lot of fraud addressed much easier than You or I could.

That said, I think more likely stealing the identity of a US congressperson is just not a good fit for identity theives. Too much exposure. You need someone small-time enough that they don’t have power to fight you effectively, not someone who can bring an army of lawyers to bear.

Anonymoussays:

Re: Re: Re: Re:

stealing the identity

Don’t fall for this false narrative. Nothing was "stolen", a bunch of data is not an "identity", and it’s really the banks etc. who are the victims. They try to avoid work by pretending it’s the customer’s problem and the customer needs to fix it. But if they loaned money to some criminal because they thought that person was me, that’s too bad for them; I’ll play the world’s smallest violin, because it’s their money that’s gone, not mine. Do we expect the employees of New York City to help them if they give some huckster money to "buy" the Brooklyn Bridge?

To paraphrase the Fair Debt Collection Practices Act of 1977, a creditor needs to prove the debt within 30 days or go fuck themselves. Further harassment means they own $1000 in damages to the person they’re falsely claiming the debt against. Too bad it doesn’t provide reimbursement of legal fees; if so, we’d likely have lawyers offering to fix the people’s false-debt problems "for free".

Anonymoussays:

Re: Re: Re: Re: Re: Re:

Yes, "identity theft" is another rather lame term in an era of lame, misused, and abused terms.

When they drain your personal account, however, without interacting with the bank in any way other than supplying the few bits of data required to access your account (without getting into people, not just institutions, who are insecure at any speed), creditors won’t need to prove anything.

Anonymoussays:

Re: Re: class action lawsuits

yeah, civil lawsuits under existing, well established civil law are the proper way to handle this T-Mobile episode.
T-Mobile will soon be hit with many punishing lawsuits.

The courts have become quite tough on companies who fail to protect customer data.
The massive YAHOO data breach resulted in many successful and expensive fines against YAHOO, with more still in litigation.

The knee-jerk notion that we need still another Federal law (somehow perfectly crafted and enforced, of course) for data breached is very naive.
(the brilliant Feds can’t even protect their own data from massive hacks)

ECAsays:

REALLY?

"understood why T-Mobile would collect some of this data during a credit check, it’s not clear exactly why it needed to keep this data after the credit check is complete. "

What a comment after finding out that Many Companies Keep Insurance on Past employees, and collect on life insurance later?
And that the SS agency has Never enforced using SSN as an Identification?

Anonymoussays:

I received a text from T-Mobile that states that there’s "no evidence your debit/credit card information was compromised". Whew! I guess the reasonable conclusion to draw from this is that they only got my name, address, driver’s license, SSN, bank account number, mother’s maiden name, name of my first pet, blood type, height, weight, eye color, and favorite food. I really dodged a bullet there.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow