T-Mobile Investigating 100 Million Subscriber Data Breach
from the whoops-a-daisy dept
Another day, another massive privacy scandal. T-Mobile is purportedly investigating a massive data breach that may have revealed the personal data of more than 100 million subscribers. First reported by Motherboard, the stolen data recently popped up on underground hacker forums, and includes subscriber social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver license information. Motherboard confirmed the data is genuine, and noted that the seller is asking $270,000 for a small subset of the data:
"On the underground forum the seller is asking for 6 bitcoin, around $270,000, for a subset of the data containing 30 million social security numbers and driver licenses. The seller said they are privately selling the rest of the data at the moment."
For years companies and some policymakers have soothed themselves with the belief that data collection of this scale isn't a big deal because data is "anonymized." But there's been a steady parade of studies showing how it's relatively trivial to identify users with just a small portion of additional data. The more data that's just bouncing around in the wild, the easier it gets. And with a bevy of hacks and leaks like this one, it just gets simpler.
T-Mobile has just around 105 million wireless subscribers, meaning this hack could involve... pretty much all of them. Meanwhile consumers have yet to be informed because T-Mobile has yet to fully confirm the hack even happened, or provide any additional information:
"T-Mobile said in a statement to Motherboard that "We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time." T-Mobile repeatedly declined to answer follow-up questions about the scale of the breach."
You know, just another day in a country with no meaningful internet-era privacy protections.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data, data breach
Companies: t-mobile
Reader Comments
Subscribe: RSS
View by: Time | Thread
Encryption?
How hard would it be to just encrypt those fields? I bet they do for CC numbers. Are they just lazy?
[ link to this | view in chronology ]
Re: Encryption?
If they did, they'd probably store the key right next to it.
[ link to this | view in chronology ]
Re: Re: Encryption?
If they've got a shell open on T-Mobile's systems, the encryption is only a speedbump. Worst comes to worst, they're in a position to MitM from inside the walls. Even if they don't have the key, they probably have the key generator.
[ link to this | view in chronology ]
Re: Encryption?
Banks, we'll the not lazy ones anyways, subdivide user data into seperat databases on independent drives on different servers.
I remember one branch didn't and compounded the error by not wiping that one HDD before liquidation.
Poop hit the fan when the reseller discovered the files and reported it. Head office came down like a ton of cement as did the ministry.
[ link to this | view in chronology ]
Re: Re: Encryption?
This is the direction they should all go. Specifically, the sensitive data (SSN, DL, all other PII) should each be stored in its own table, encrypted and protected with access controls, stored procedures and triggers to only allow access in authorized ways and by authorized accounts.
If implemented correctly, it should not be possible to do something like
SELECT ssn FROM ssns;(i.e., it would fail if more than one record was returned), and a plain oldSELECT * FROM users WHERE ID='c2b10e7f-2739-4701-b50b-9f837d7eadb8';should not contain any PII.[ link to this | view in chronology ]
Re: Encryption?
massively.
They barely do anything to prevent sim swaps, so people with crypto are freaking out.
[ link to this | view in chronology ]
Re: Encryption?
I mean they had a breach in 2017, 2018, 2019, and 2020. So now one in 2021 is just business as usual. I'm wondering what they have in store for 2022
[ link to this | view in chronology ]
Re: Encryption?
It's legitimately hard to encrypt much of this data in any useful way. There are too many people that need access. Phone numbers need to be used all over the network. Names and addresses for billing, and for lookup by any minimum-wage store clerk. Driving licenses could maybe be encrypted such that only a small number of backoffice staff could read them. SSNs should in theory be treated like that, but is part of the data they want to share with credit bureaus (along with name, address, date of birth).
The best we'll get, realistically, is better audit trails and better protection against bulk export. Maybe the customer service people will only be allowed 20 lookups a day, or they'll need manager approval for no-phone-present lookups. Still, there will be at least tens of people with access to a huge database of everyone.
My guess is that T-Mobile won't be punished. They should be, though, which might push companies to treat personal data like the toxic waste it is. Just this week, an idea called Pretty Good Phone Privacy (PDF paper) was in the news. It's a way to run a phone network while collecting basically no data on subscribers—notably, no location data. The network only gets an anonymous proof that you paid for service. It's unlikely to be legal everywhere: even some countries that claim to value privacy require their telcos to collect and store photo ID from subscribers (the USA, though, isn't one of them—the authors believe it would be allowed).
[ link to this | view in chronology ]
Re: Encryption?
Still got Q: about all these break-ins.
What OS are they using?
What protections?
Even Cheap/easy protections arnt hard to create. Even under windows.
With that said,
I wonder how much the person IN THE COMPANY, thinks they will get. The list is huge of the break-ins, and thinking that All our personal data is out in the wild is very interesting.
Privacy has only 1 group that Really want it. Its the banks. With the right data you can take over anyone's accounts. You can make credit cards. You can have a revenge thing going to tear a company apart.
And something iv said before. You can now contest anything the bank has on your record, that is recent. No one checks the signatures anymore, its to be AUTOMATED so there is no handling by the resellers.
Then we get to the idea of 'what can the banks do, to prove Who is using your cards/data'.
Between chips and tattoo's, which can ALSO be copied by semi smart people. Why dont we go back to the old ways? Because we Think automation saves money. Gets rid of all the middlemen, but still costs money to the reseller.
[ link to this | view in chronology ]
'T-Mobile did what now? We're focusing on social media, shoo.'
Only one thing to do really, time to drag social media over the coals for not respecting user privacy enough again.
[ link to this | view in chronology ]
Re: 'T-Mobile did what now? We're focusing on social media, shoo
As a customer…
Done!
[ link to this | view in chronology ]
Scale
You do realize that, if the last few years are anything to go by, this breach will have been twice as big as first reported. Now you can't have 200 million subscriber's data breached if you only have 105 million subscribers, so I'd guess that all 105 million subscribers have been compromised.
By the way, I still have a Yahoo! account. Not sure why, but I do. And I've had (and used) it since 2005.
[ link to this | view in chronology ]
Confirmed
As an update, T-Mobile has confirmed the unauthorized access.
Despite Karl's reference to "the stolen data", there's no confirmation that theft was involved. Copying is not theft.
[ link to this | view in chronology ]
$100 per user data accessed
That might make a dent in their thick skulls.
[ link to this | view in chronology ]
I wonder how many stale subscriber records they keep.
[ link to this | view in chronology ]
I look forward to people managing to get another 1000 years of "free *" credit monitoring as compensation.
The only way this will ever change is if some gray hats managed to compile the breached data about members of Congress & go to town with it.
They live in this magical bubble where they pretend everyone is treated like they are, ignoring they are pampered like the CEO's are.
Imagine if MTG had to deal with the archaic system we all face when some corporation didn't actually take our privacy seriously. In between her trying to blame the Space Jews & Obama, they might actually pass some rules to actually punish these corporations who refuse to spend a single dime on securing their systems after seeing hundreds of breaches & thinking it will never happen to them.
Social security numbers were never meant to become what they are today, perhaps it is time to demand better. I mean they FINALLY took SS numbers off of medicare cards & now use a unique identifier to try and stop fraud. SS numbers are like bluetooth, it was a nice idea but don't use it for important things.
[ link to this | view in chronology ]
Re:
SS,
had some rules and regs about the cards, and the gov. Never enforced them. The SS number isnt supposed to used for Any ID purposes.
[ link to this | view in chronology ]
the average id theft costs 300 plus 15 hours.
at $20/hour thats another 300
this is t mobiles 5 breach in 3 years
make tmobile pay 600 x 100m customers
if the 60b hit makes them go bankrupt so be it. it might serve as a deterent to other companies to protect data better
[ link to this | view in chronology ]
No Kidding,...
It was quite anticipated, when companies began outsourcing ALL of their Customer "Service" calls to India, that not too much time passed when it was discovered that customer's information was lost to/in those in India.
Not to single out India, for any OCONUS storage of one's jewels, the greater the risk of those jewels being stolen.
Of course, the obvious solution is what the Corporations' belly will never allow: bring ALL support in-house to vastly improve integrity and protection of said jewels.
[ link to this | view in chronology ]
Investigating? Investigating what? We already know what was taken (everything) and from whom (everyone). Motherboard even verified it for them. Now how about handing over a free flagship phone to every user as compensation. That's gotta be cheaper than paying the real cost...
[ link to this | view in chronology ]