T-Mobile has confirmed that hackers broke into its internal servers in what could be one of the largest carrier data breaches ever.
A day after Vice reported hackers were claiming to have stolen the personal data of 100 million T-Mobile USA customers, the company said Monday that “unauthorized access to some T-Mobile data” had occurred.
“We have not yet determined that there is any personal customer data involved,” T-Mobile said in a news release, adding, “We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed.”
As of June, T-Mobile served about 84 million connections, including cellphones, mobile hotspots, and other devices, through more than 26 million postpaid accounts. Cellphone carriers typically run a credit check on customers with postpaid plans, which bill subscribers for service after it is rendered.
The hackers told Vice they had “full customer info” from T-Mobile, including social security numbers, phone numbers, names, physical addresses, unique International Mobile Equipment Identity numbers, and driver’s licenses information, and were asking around 6 bitcoin, about $270,000, for a subset of the data containing 30 million social security numbers and driver’s licenses.
According to Ars Technica, T-Mobile has experienced as many as six separate data breaches in recent years, including a hack in 2018 that gave unauthorized access to customer names, billing ZIP codes, phone numbers, email addresses, and account numbers.
In 2020, hackers absconded with data including customer names and addresses, phone numbers, account numbers, and billing information.
“If claims that data for 100 million people have been hacked prove to be true, this latest breach will be among the largest carrier data breaches ever,” Ars Technica said.
Crane Hassold, director of threat intelligence at email security company Abnormal Security, told Wired that the hack was “ripe for using the phone numbers and names to send out SMS-based phishing messages that are crafted in a way that’s a little bit more believable. That’s the first thing that I thought of, looking at this.”