Server Misconfiguration – 2021
On August 15th, 2021, Vice reported that a hacker had breached multiple T-Mobile servers, affecting between 50 and 100 million US customers. The hacked data contained the personal information of customers including Social Security Numbers, names, phone numbers and IMEI numbers, which are used to uniquely identify cell phones.
Forrester analyst Allie Mellen told ABC News that the breach was not a “particularly sophisticated” attack, as it stemmed from a server misconfiguration issue. Mellen also noted that T-Mobile, “didn’t know about the attack until the attackers posted about it in an online forum.”
In response, T-Mobile created a special breach page just for this specific incident, where the company has stated that they are “working around the clock to address this event.” One section of the web page titled “What we’re doing” consists of just two sentences with no clickable links or stylizations. However, the page also outlines “What you can do” and provides customers with a descriptive paragraph emphasizing their customers take steps to protect themselves, followed by four oversized graphical sub-sections with hyperlinks that direct customers toward more information on various preventative services and offerings.
T-Mobile says they protect customer information “with the utmost concern,” and that they take this security incident “very seriously.”
This breach comes on the heels of 2 additional T-Mobile breaches in 2020 and is the latest example of their concerning track record of improperly handling sensitive data.
Supply-Chain Attack – 2020
T-Mobile’s first breach of 2020 was in March and involved a supply-chain attack that targeted a third-party email vendor. Email accounts of some T-Mobile employees were compromised, which apparently led to some customers having their personal and account information stolen in the process.
The company sent out two very different breach notifications, each one specific to one of two separate groups of victims. One notice was in regards to certain FCC regulations, but it has since been taken down or moved by T-Mobile.
Second Helping – 2020
T-Mobile’s second breach of 2020 occurred in December, and this time, the company stated that a “security incident” had occurred affecting around 200,000 subscribers. The company said that the data accessed was related to Customer Proprietary Network Information (CPNI), which is covered and protected by the FCC. CPNI includes information such as phone numbers and calls history. The company also noted that no PII was stolen as part of the breach. No further details about the hack itself were disclosed by T-Mobile.
In its statement, T-Mobile said that they “take the security of customer information seriously” and that they would “continue to work to further enhance security.”
Required Disclosure – 2019
Another unspecified hack occurred in November of 2019 that affected roughly one million T-Mobile customers. As with several of its other breaches, customer information such as names, addresses, and phone numbers were obtained by the hackers.
This time, T-Mobile’s response included some peculiar language around the word “require.”
“Rate plan and features of your voice calling service are “customer proprietary network information” (“CPNI”) under FCC rules, which require we provide you notice of this incident.” – T-Mobile statement, Nov 21, 2019
TechCrunch first reported on this breach and noticed the statement’s odd verbiage, stating that “the implication seems to be that they might not have done so otherwise.”
Leaky API – 2018
Just over three years ago on August 20th, 2018, T-Mobile was hit by a breach that affected around 2.3 million customers. The company said that impacted customers had their name, phone number, date of birth, zip code and account number exposed in the breach, but Social Security Numbers and financial information were safe and that “no passwords were compromised.”
However, T-Mobile later did confirm to Vice that passwords were indeed stolen, but that they were encrypted using an undisclosed hashing algorithm. Additionally, an independent security researcher claimed that usernames were stolen alongside those passwords and shared the discovered data with Vice after the publication first covered the news.
T-Mobile concluded their statement by telling their customers that they “take the security of your information very seriously”.
T-Mobile has suffered 5 data breaches in just over 3 calendar years. Each of which were taken “very seriously.”