The company said Wednesday some of the exposed data included customers’ first and last names, social security numbers and driver’s license, adding that the hacking also included the PINs of about 850,000 active prepaid customers.
The cellphone carrier said it was “informed of claims made in an online forum that a bad actor had compromised T-Mobile systems,” and it has been investigating the data breach since last week.
On Sunday, US media reported that a vendor in an online forum was trying to sell $270,000 worth of stolen information obtained from T-Mobile servers. The company confirmed on Tuesday that customer data was affected.
Hackers have targeted T-Mobile in the past. In 2018, T-Mobile suffered a security breach that compromised personal information of two million customers, including phone numbers, email addresses and account numbers. In 2019, the company’s email vendor was hacked, revealing some customer and employee personal information.
The recent breach follows a string of high-profile cyberattacks that underlined the vulnerability of US government agencies and companies to digital intrusions and the damage hackers can inflict beyond the theft of personal information.
This spring, a ransomware attack on US Colonial Pipeline disrupted the East Coast’s fuel network, setting off gasoline shortages across several states. Weeks later, a major cyberattack targeted the US branch of world’s largest meat supplier, JBS, sparking concern over potential shortages and higher beef prices
US lawmakers have discussed a $2 billion bill in spending for cybersecurity initiatives, including a $1 billion grant program to provide federal cybersecurity assistance to US state and local governments, which experts say are among the most vulnerable institutions to ransomware attacks, in which hackers break into computer systems and then demand a ransom to restore access to the victim.
Experts expressed concerns that, more and more, companies and institutions do not have the necessary security protocols in place to protect sensitive information.
Yuan Stevens, a researcher at Ryerson University in Toronto who has studied the 2018 T-Mobile breach, said that the company’s system of handling security complaints put the onus on consumers to keep their information safe.
“I do not think it’s on the individual to protect their data,” Stevens said. “We should not have to opt out of using services in order to protect ourselves. Instead US institutions should be responsible for protecting consumer data.”