T-Mobile Confirms Major Hack, Social Security Numbers And Drivers License Data Exposed
from the here-we-go-again dept
Earlier this week reports emerged that T-Mobile was investigating a massive hack of the company's internal systems, resulting in hackers gaining access to a massive trove of consumer information they were selling access to in underground forums. Initial estimates were that the personal details of 100 million customers had been accessed (aka all T-Mobile customers). After maintaining radio silence as it investigated the hack, T-Mobile has since released a statement detailing the scale of the intrusion. In short, it was smaller than initial claims, but still massive and terrible:
"Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers."
While T-Mobile notes that none of the PINS used by former or prospective postpaid (billed regularly month to month) customers were accessed, T-Mobile does note that 850,000 active T-Mobile prepaid customers had their names, phone numbers and account PINs exposed. Many others had their social security numbers, drivers license/ID information, and other data exposed:
"Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers."
While it's understood why T-Mobile would collect some of this data during a credit check, it's not clear exactly why it needed to keep this data after the credit check is complete. This, again, is the kind of stuff you could tackle with a basic US privacy law with meaningful penalties for companies that keep getting hacked. For T-Mobile customers I think this is maybe the fifth or sixth time the company has been hacked since 2018. You have to think clear, basic, and consistently enforced federal guidelines and penalties would incentivize companies to not over-collect data and properly secure their systems.
Instead we stand around, shrug, complain that it's impossible or too hard to have competent governance on this subject, and nothing changes. And when consumers then get hacked (again), the best they get are platitudes like "free credit reporting," which prove utterly useless given they've received "free credit reporting" the last 75 times their data wasn't properly secured.
It's not clear how many of these kinds of repeated scandals we need to see before the federal government crafts some basic, competent guard rails, but it's abundantly clear that, thanks to a broad cross-industry coalition of lobbyists with near-unlimited budgets, it's not going to be anytime soon.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data breach, drivers licenses, hack, social security numbers
Companies: t-mobile
Reader Comments
Subscribe: RSS
View by: Time | Thread
"You have to think clear, basic, and consistently enforced federal guidelines and penalties would incentivize companies to not over-collect data and properly secure their systems."
side eyes the NSA
The main difference is I'm willing to bet on top of the nice contributions to keep elected leaders from passing laws to demand the most basic protections keep them looking away.
Anyone want to take bets that no member of Congress has to deal with the same nightmares we do when their data gets leaked in these things? That magically 1 phone call makes all of the problems for them vanish, so they just assume everyone else gets the same treatment (or thats their story & they are sticking with it because playing stupid works out so well).
[ link to this | view in chronology ]
Re:
You can't fix the loss of PID with a phone call. Though they probably can get a lot of fraud addressed much easier than You or I could.
That said, I think more likely stealing the identity of a US congressperson is just not a good fit for identity theives. Too much exposure. You need someone small-time enough that they don't have power to fight you effectively, not someone who can bring an army of lawyers to bear.
[ link to this | view in chronology ]
Re: Re:
Don't fall for this false narrative. Nothing was "stolen", a bunch of data is not an "identity", and it's really the banks etc. who are the victims. They try to avoid work by pretending it's the customer's problem and the customer needs to fix it. But if they loaned money to some criminal because they thought that person was me, that's too bad for them; I'll play the world's smallest violin, because it's their money that's gone, not mine. Do we expect the employees of New York City to help them if they give some huckster money to "buy" the Brooklyn Bridge?
To paraphrase the Fair Debt Collection Practices Act of 1977, a creditor needs to prove the debt within 30 days or go fuck themselves. Further harassment means they own $1000 in damages to the person they're falsely claiming the debt against. Too bad it doesn't provide reimbursement of legal fees; if so, we'd likely have lawyers offering to fix the people's false-debt problems "for free".
[ link to this | view in chronology ]
Re: Re: Re:
Yes, "identity theft" is another rather lame term in an era of lame, misused, and abused terms.
When they drain your personal account, however, without interacting with the bank in any way other than supplying the few bits of data required to access your account (without getting into people, not just institutions, who are insecure at any speed), creditors won't need to prove anything.
[ link to this | view in chronology ]
Don't Worry!
You need not worry as I'm sure there will be a class action lawsuit where each person will be compensated in the amount of $7.82 (assuming they register and prove they are part of the class) while the lawyers will reap at least $100MM a piece.
[ link to this | view in chronology ]
Re: class action lawsuits
yeah, civil lawsuits under existing, well established civil law are the proper way to handle this T-Mobile episode.
T-Mobile will soon be hit with many punishing lawsuits.
The courts have become quite tough on companies who fail to protect customer data.
The massive YAHOO data breach resulted in many successful and expensive fines against YAHOO, with more still in litigation.
The knee-jerk notion that we need still another Federal law (somehow perfectly crafted and enforced, of course) for data breached is very naive.
(the brilliant Feds can't even protect their own data from massive hacks)
[ link to this | view in chronology ]
Don't do it
This sort of thing is why I never give my SSN out. It's amazing how many places give forms to fill out that ask for it, and really don't need it.
[ link to this | view in chronology ]
Why does T-Mobile have SSN and driver's license information of its customers in the first place?
[ link to this | view in chronology ]
REALLY?
"understood why T-Mobile would collect some of this data during a credit check, it's not clear exactly why it needed to keep this data after the credit check is complete. "
What a comment after finding out that Many Companies Keep Insurance on Past employees, and collect on life insurance later?
And that the SS agency has Never enforced using SSN as an Identification?
[ link to this | view in chronology ]
I received a text from T-Mobile that states that there's "no evidence your debit/credit card information was compromised". Whew! I guess the reasonable conclusion to draw from this is that they only got my name, address, driver's license, SSN, bank account number, mother's maiden name, name of my first pet, blood type, height, weight, eye color, and favorite food. I really dodged a bullet there.
[ link to this | view in chronology ]
Re:
Considering how loose T-Mobile is, that was probably the thieves themselves texting you to lure you into a false sense of security. "T-Mobile, where your data goes through 15 separate security checks." Sure, but how many of those 15 did it pass?
[ link to this | view in chronology ]