It was a sobering reminder that the Internet is a vulnerable and insecure place when hackers breached T-Mobile, one of the United States' biggest wireless service providers. The attack has affected over 40 million users.
Every business should prioritize data security to protect its customers. Unfortunately, even big companies like T-Mobile can trip up and make mistakes. Here's what went wrong for T-Mobile and how your company can prevent a similar attack.
Try Teampassword today to keep your information safe and protected with a 14-day free trial.
How T-Mobile discovered they had been attacked
T-Mobile was alerted to the breach when someone found a large packet of personal data for sale on an underground forum on Sunday, August 15, 2021. The mobile giant immediately launched an investigation into how this data ended up online!
The investigation is still in its infancy (as of August 20, 2021), but T-Mobile has released some of its findings, including the progress made and the extent of leaked personal information.
In a statement, T-Mobile assured customers that the access point used to illegally gain access to its servers had been closed. Hardly good news when hackers have already stolen the personal data of millions of T-Mobile customers.
It's like celebrating fixing the vault door of a bank when criminals have already stolen all the money!
What can you do to stop this kind of breach from happening at your company? Prevent data breaches and unauthorized password sharing with TeamPassword. Take advantage of our free 14-day free trial and take control of your company's password security today.
What is T-Mobile?
Headquartered in Bellevue, Washington, T-Mobile provides wireless voice and data services to more than 104.8 million customers in the United States. Its largest shareholder is German telecommunications company Deutsche Telekom (DT).
In April 2020, T-Mobile acquired the Sprint Corporation, making it the second-most powerful mobile operator in the US. The company is also the host network for several virtual network operators.
T-Mobile's Troubled History of Data Breaches
T-Mobile has experienced at least five data breaches in the past four years. The most significant breaches happened in 2018 and 2019.
In 2018, cybercriminals breached T-Mobile's servers and stole customer data, including names, billing zip codes, phone numbers, email addresses, account numbers, account type (prepaid or postpaid), and dates of birth.
Then in 2019, hackers got away with personal information, including cell phone numbers, rate plans, and other data affecting around 1.2 million prepaid T-Mobile customers.
Both times, T-Mobile was swift to assure customers that their systems were secure and this would never happen again! Whoops!
T-Mobile's 2021 Mega-Breach
T-Mobile's 2021 mega-breach makes 2018 and 2019 look like a warm-up to the big game.
While the investigation is still ongoing (and those affected might have increased since the publishing of this article), these are the numbers T-Mobile has released so far:
- 7.8 million current T-Mobile postpaid customers affected
- Over 40 million (yes forty) former or prospective customers who had applied for credit with T-Mobile
Investigators are still unsure who is behind the T-Mobile data breach. The company is working with law enforcement to identify the "unauthorized individuals" responsible for the attack.
What Data did Criminals Steal from T-Mobile in 2021?
According to T-Mobile, "no phone numbers, account numbers, PINs, passwords, or financial information were compromised" for postpaid, former, or prospective customers—but criminals did steal full names, date of birth, SSN, and driver's license, or other identification.
For T-Mobile's prepaid customers, unfortunately, the data breach was more severe! Hackers managed to steal 850,000 names, phone numbers, and PINs—sensitive information that could give hackers access to a user's account.
What should you do if you’re one of these people? Easy. Change your password. In fact, you should be changing all of your passwords all of the time. Passwords get easier to manage when you use something like Teampassword to remember everything.
Resetting passwords is exactly what T-mobile did. In response, T-Mobile reset all prepaid customer PINs and notified the owners. The company has also urged its postpaid customers to reset their PINs to protect their accounts with T-Mobile's Account Takeover Protection capability.
As of August 20, 2021, T-Mobile and investigators have not found evidence that hackers accessed personal financial or payment information, credit card details, account numbers, or passwords.
Do We Need to Change Privacy Laws?
T-Mobile's data breach has once again raised questions about privacy laws in the United States. For starters, how much personal information should companies be allowed to keep on record?
Once you have verified someone's identification or SSN, do you need to keep that information on file? And why?
If it's for account verification purposes, why not use something more secure like two-factor authentication?
These continuous corporate data breaches pose a significant risk to consumers, exposing them to identify theft, financial losses, and SIM swap scams.
In T-Mobile's case, 40 million people were affected (more than 10% of the United States), and they're not even customers!
Should a company be allowed to store your data even when you are not actually a customer but you had previously applied?
What are the Potential Risks for Those Affected by the T-Mobile Data Breach?
It's still early days for those affected by T-Mobile's data breach, so we can only speculate what might happen. Here are some real possibilities based on data stolen from similar data breaches.
SIM-swap fraud or SIM hijacking is a growing risk worldwide. Hackers can perform a SIM swap with a customer's phone account data and take over someone's phone number.
Once someone has your phone number, they can steal someone's identity, request money from friends or relatives, and intercept SMS multi-factor authentication. Banks regularly use the latter to authenticate a login or payment!
The danger with SIM swaps is that criminals usually change an account's (social media, Gmail, banking, Apple) recovery phone and email immediately. So even blocking the swapped SIM doesn't resolve the issue.
SIM swaps can be crippling for consumers, and it causes a mess that takes significant time and effort to untangle.
Phishing is a common modus operandi for hackers—even the most sophisticated cybercriminals use phishing attacks to breach systems.
Criminals contact customers, often posing as a legitimate company, to get someone to click a link or willingly offer sensitive information.
A spear-phishing attack is similar to regular phishing, but criminals use personal information to make the communication seem legitimate. A recent example is Twitter's 2020 spear-phishing attack.
For T-Mobile's customers, phishing and spear-phishing attacks will be a real threat for months or even years to come. Cybercriminals can contact T-Mobile customers posing as customer support to offer "assistance" for the mobile breach with a customer's information.
They might send a text message with a malicious link to reset their password or call them over the phone to "verify" their account information.
Malware attacks happen when a victim accidentally clicks an email or SMS link thinking it's from a legitimate source (essentially phishing correspondence). Clicking the link downloads a malicious package, and criminals have complete access to the device.
The scary thing about malware is that the user doesn't know someone is accessing their device. Hackers can steal all of the data on your phone and then monitor your device, turn on the camera/microphone, record keystrokes to steal account credentials, or intercept multi-factor authentication.
How can Companies Prevent Breaches?
If there's one thing we've learned in the last 18 months, even organizations with sophisticated security systems fall victim to data breaches—Twitter, CAM4, EasyJet, Zoom, and Nintendo, to name a few.
If these multinational organizations aren't immune, how can small businesses prevent cyber attacks?
Password Security for Small Businesses
The first step is continuous education. Companies must educate employees about cybercrime and the tactics criminals use. Most breaches happen as a result of human error.
Companies also need to ensure they have multi-layered security tools and systems to prevent cyber attacks. Password management is a particularly vulnerable point for attack.
You never share raw login credentials with TeamPassword preventing authorized sharing and access. You can also set up two-factor authentication (2FA) for TeamPassword, so if someone does steal a team member's password, 2FA minimizes the likelihood of a full breach.
Instead of sharing passwords, you can add team members and freelancers to TeamPassword, where they log into your company accounts using our browser extensions—including Chrome, Firefox, and Safari.
You can create groups for specific clients or accounts and add or remove a team member with one click. This sort of password sharing means you never have to worry about changing passwords when an employee or freelancer leaves the team.
And, if you do need to change login credentials, it's as easy as a few clicks with TeamPassword's built-in password generator.
TeamPassword features an activity log, making it possible to investigate breaches or unauthorized sharing. Account managers can also set up email notifications for all TeamPassword actions, like logins, credential sharing, adding new accounts, adding or removing team members to a group, and more.
How Secure is TeamPassword?
TeamPassword uses the latest secure encryption technology to ensure your account credentials are always protected. We're a secure hosting provider with multiple encryption technology accreditations.
TeamPassword's other security features include two-factor authentication (with backup codes) and activity/audit logging. Our team also conducts frequent vulnerability sweeps to ensure our systems and password manager has no backdoors!