In January, T-Mobile revealed it was hit by a data breach that impacted 37 million customers. Now the company has shared that it has seen another incident. The good(ish) news is this time it’s believed to only have affected 836 users but the bad news is the malicious party was able to steal sensitive info like social security numbers, full names, birth dates, contact information, T-Mobile account PINs, and more.
Spotted by Bleeping Computer (via The Verge), T-Mobile started sending letters to impacted customers on April 28 about the latest breach which happened between February and March.
Our systems recently detected that a bad actor accessed limited information from a small number of T-Mobile accounts, including your T-Mobile account PIN. Personal financial account information and call records were NOT affected. Our systems and policies enabled T-Mobile teams to identify the activity, terminate it, and implement measures to protect against it from occurring again in the future. To further protect your account, we have already proactively reset your PIN.
While we have a number of safeguards in place to prevent unauthorized access such as this from happening, we recognize that we must continue to make improvements to stay ahead of bad actors. We take these issues seriously. We apologize that this happened and are furthering efforts to enhance security of your information.
While T-Mobile starts out by confirming financial account information and call records were not stolen, very sensitive information like T-Mobile PINs, social security numbers, birth dates, full names, contact information, and more was part of the compromised data for the small group of users.
The information obtained for each customer varied, but may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines.
Because of the heightened risk of identity theft for these customers, T-Mobile is giving two years of credit monitoring and identity theft detection – details on enrolling are included in the letter sent to those affected.
T-Mobile didn’t respond to a request for comment from Bleeping Computer. A data breach filing with the state of Maine revealed that 836 customers were impacted, but T-Mobile nor the filing have shared how the threat actor compromised the company’s systems.
What should you do?
If you are alerted by T-Mobile that you were one of the 836, the carrier recommends reviewing your account information and changing your PIN (even though it already changed them for affected customers).
T-Mobile also mentions the FTC’s support page on identity theft.
FTC: We use income earning auto affiliate links. More.
Comments