T-Mobile Data Breach – August 2021

Overview

On the 17th of August 2021, T-Mobile has disclosed that they have been a victim of a cyberattack involving unauthorized individuals accessing the company’s servers.

Following an internal investigation, it has been disclosed that files containing personally identifiable information (PII) data have been stolen, this includes:

– First name and last name
– DOB
– Driver’s license/ID information
– Phone numbers
– Account PINs

Impact

T-Mobile has identified that the breach has affected multiple different groups of users, this includes:

• 7.8 million active T-Mobile customers using an account type of “postpaid” and 40 million former or prospective T-Mobile customers. The information leaked pertains to customer first and last names, dates of birth (DOB), social security numbers (SSN), driving licenses and/or identification card information.
• A further 667,000 accounts of former T- Mobile customers have also been confirmed as being affected. Information disclosed in this branch pertains to customer names, phone numbers, residential addresses and DOB.
• 850,000 active T-Mobile prepaid customers have also been affected. The information exposed includes first and last names, phone numbers and account PINs.

Vulnerability Detection

There is no vulnerability associated to this threat. However, threat actors may utilise this knowledge in social engineering or phishing attempts.

Affected Products

No products have been affected.

Containment, Mitigations & Remediations

For the customer that had their PINs exposed, T-Mobile has reset all PINs on the affected accounts.

The company also offers two years of free identity protection services with McAfee’s ID Theft Protection Service for any individual that believes to be affected by this breach. It is recommended that affected customers make use of the McAfee ID Theft Protection service provided by T-Mobile and regularly monitor any alerts which may trigger as a result of this.

T-Mobile has also advised that they offer free scam-blocking protection through Scam Shield and advice on resetting PIN and password via their website.

Indicators of Compromise

There are no IOC’s relating to this breach.

Threat Landscape

Personally identifiable information (PII) may be used to launch social engineering or phishing attacks. Threat actors may reach out to affected users offering fake compensation for the breach or may use the data to perform targeted phishing attacks with fake invoices.

Users should be wary of phone calls and text messages from unknown numbers impersonating T-Mobile services. If in doubt users should contact T-Mobile customer service using the details provided on the company website.

Mitre Framework Mapping

Reconnaissance:
Gather Victim Identity Information (T1589)

Further Information

T‑Mobile Shares Updated Information Regarding Ongoing Investigation into Cyberattack