T-Mobile suffers fifth data breach in four years as hackers get away with sensitive data of 100 million users

T-Mobile’s latest incident is not an isolated case as an increasing number of businesses are reporting data breaches including those in India which has seen 5 such incidents so far this year. 

A hacker informed VICE that they stole confidential data of 100 million users of T-Mobile, according to its report. The seller in a chat with Motherboard, VICE’s platform which covers tech, revealed that the data contained details like social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver license information.

Cyber attacks have increased dramatically during the pandemic as lockdowns caused by COVID-19 forced a rapid increase in the adoption of digital tech. Data breaches are the second-most common form of cyber attacks as the stolen information fetches a lucrative price on the dark web. It results in acute financial loss while denting the reputation of businesses. A data breach also violates the privacy of individuals who can lose their sensitive data, the consequences of which can be damaging. 

How did it all unfold? 

Motherboard reported that it came across a post in an underground forum that claimed that it was “selling a mountain of data”. The post did not mention the name of the company which owned the data. 

It established contact with the seller who divulged, in an online chat, that the data belonged to T-Mobile USA. They added that the data was obtained by compromising multiple servers of T-Mobile.

The seller demanded 6 bitcoin which translates to $270,000 at the prevailing market price of bitcoin. It was the price for the dataset of 30 million social security numbers and driver licenses. They added that the rest of the data was being sold privately. 

The seller told Motherboard that data had been backed up in multiple places locally before T-Mobile severed their access from the backdoored servers.  

We take the protection of our customers very seriously: T-Mobile

The telecom giant said that it was conducting an investigation into claims of illegal access made by the seller. 

“We are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement. We have determined that unauthorized access to some T-Mobile data occurred, however, we have not yet determined that there is any personal customer data involved,” the company said in its statement.   

The statement disclosed that the entry point used to gain access was closed, and a deep technical review was underway to identify the nature of the data. “Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.”

Timeline of data breaches suffered by T-Mobile

This is not the first time that T-Mobile has suffered a data breach. The Verge stated that T-Mobile has had several data breaches in the last few years: 

August 2018: Hackers accessed personal information of nearly 2 million customers which included the name, billing zip code, phone number, email address, account number, and account type of users. Other sensitive information — financial data, Social Security numbers, and passwords — weren’t compromised in the hack according to the company.

November 2019: A “small number of prepaid customers” were a target of the breach that leaked customer names, addresses, phone numbers, account numbers, rate plans, and plan features to the hackers.

March 2020: An attack led to hackers obtaining unauthorised access to certain T‑Mobile employee email accounts which contained account information on T‑Mobile customers and employees.  On this occasion, personal information accessed included names and addresses, Social Security numbers, financial account information, and government identification numbers, as well as phone numbers, billing and account information, and rate plans and features.

December 2020: The breach in December exposed call-related information and phone numbers of its customers to the hackers. Bleeping Computer said that the information did not include names on customers’ accounts, physical or email addresses, financial data, credit card information, Social Security numbers, tax IDs, passwords, or PINs. The company said that the breach affected 0.2 percent of its users which comes up to 200, 000 people.

Data leaks and breaches in India so far this year

• Air India (AI) reported a data breach that compromised the personal details and information of 4.5 million customers. The hackers managed to extract customer information, barring payment details, that was registered on the SITA-AI system between August 26, 2011, and February 3, 2021.
• MobiKwik reported a database leak to the size of 8.2 TB which contained 36 million files containing KYC information belonging t0 3.5 million people. The hack also accessed around 7.5 TB worth of KYC data pertaining to over 3 million merchants on MobiKwik’s network. Over 99 million users’ phone numbers, emails, hashed passwords, addresses, bank accounts, and 40 million card details up to 10 digits, were leaked with month, year, and card hash data.
• 190,000 CAT aspirants’ personally identifiable details along with their test results were leaked on the dark web in May. The details put up for sale include names, dates of birth, email IDs, mobile numbers, address information, candidates’ 10th and 12th-grade results, details of their bachelor’s degrees, and their CAT percentile scores.
• Domino’s India suffered a data breach wherein 1 million credit card records and 180 million pizza preferences were up for sale on the dark web. It was found that someone was asking for 10 bitcoin (roughly $535,000 or ₹4 crore) for 13TB of data which included customers’ names, phone numbers, and email addresses.
• Upstox’s customer data was on sale on the dark web after a data leak by ShinyHunters. It was reported that the hackers sought a ransom of $1.2 million (Rs 9 crore) to not publicise the user data. The security breach was first reported by Rajshekhar Rajaharia, an independent internet security researcher, who claimed that data of some 25 lakh users and 5.6 crores Know Your Customer (KYC) data was leaked. The leaked user data included names, birthdates, PAN, passports, and photos of user signatures, among other things.

Also read: