T-Mobile Allegedly Hit By Massive Breach

John Lister's picture

T-Mobile is investigating claims a hacker stole sensitive data about more than 100 million customers. It hasn't confirmed or denied claims. The haul included social security numbers and driver license information.

The alleged breach was first reported by Motherboard, which spotted a hacker forum post from somebody attempting to steal the data. The would-be seller says it comes from multiple T-Mobile servers and contains "full customer info" on US customers.

The seller claims the haul includes names, phone numbers and physical addresses, along with IMEI numbers that identify individual handsets. The seller also says driver license and social security numbers are among the stolen information.

Hacker Wants $270K

Motherboard says it has confirmed samples of the data show genuine customer information. It exchanged messages with the seller, who says the vulnerability in the servers has now been patched.

It seems the seller plans to sell the data in batches. They've started by offering 30 million driver license and social security numbers for the equivalent of $270,000. (Source: vice.com)

T-Mobile offered few details in its response, simple noting that:

"We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time."

Data Laws May Apply

If the claims are true, it would be a serious breach and raise questions about why T-Mobile kept the data, let alone why it failed to secure it properly.

T-Mobile would most likely have collected the social security number and driver license details to verify identities and then run credit checks for post-paid customers. It's considered good data protection practice - and in some jurisdictions it's a legal requirement - to delete such personal data when its no longer needed for the original purpose. (Source: forbes.com)

Some states such as New York also have data protection laws that require companies to inform users and regulators as soon as practical after a breach. If this situation is as described, T-Mobile would need to do so quickly once it's verified the data has indeed been exposed.

What's Your Opinion?

Do you find it plausible that a hacker could retrieve such data from a phone company's servers? Should there be federal laws to stop companies keeping sensitive data once it's finished initial ID and credit checks? Do you feel comfortable providing a social security number when taking out a service?

Rate this article: 
Average: 5 (7 votes)

Comments

ehowland's picture

I hope this ends up not being true.

buzzallnight's picture

Do you find it plausible that a hacker could retrieve such data from a phone company's servers?

Were they using M$ software????????????

YES!!!!!!!!!!

Should there be federal laws to stop companies keeping sensitive data once it's finished initial ID and credit checks?

YES

Do you feel comfortable providing a social security number when taking out a service?

NO

ehowland's picture

It was probably 15-20 years ago for me, so I do not honestly remember at all. I do not think they have my DOB on record (though it is probably not hard to find out with Social # if you have that). For years and years my license has had a different # on it NOT my Soc#, so they may only have that on record, honestly I have no idea what they have (and I should)...