T-Mobile suffered a major data breach in August 2021 that affected the private data of 53+ million users. Today, we are seeing reports of identity theft among T-Mobile users as well as T-Mobile user data being sold on the Dark Web. These events have prompted the New York Attorney General to issue a consumer alert warning T-Mobile users of the heightened risks.
Update: Numerous other state attorney generals from California, Washington, Delaware, and more, are also urging people to be on alert for identity theft and fraud as a result of T-Mobile’s 2021 data breach.
Are you a T-Mobile customer? If so, your private data may be up for sale on the Dark Web, putting you at heightened risk for identity theft, phishing attacks, and financial fraud.
Earlier today, the New York Attorney General’s office issued an urgent consumer alert warning T-Mobile users (both past and present) about the heightened risks of identity theft and fraud. New York Attorney General Letitia James issued this warning in a press release:
I have an urgent message for T-Mobile customers and other consumers: Be aware of any misuse of your personal information and follow the guidance provided by my office to protect yourself from identity theft.
Consumer Alert from New York Attorney General Letitia James
Information stolen in a massive data breach has fallen into the wrong hands and is circulating on the dark web. The guidance offered by my office can help prevent identity theft. I advise all New Yorkers to maintain their financial safety by following the guidance my office has laid out. No consumer should have to deal with the devastating realities of identity theft.
To put these events into context, we need to first look back at what happened with T-Mobile last year.
August 2021: T-Mobile admits massive security incident
Private data is extremely valuable to cybercriminals. Back in August 2021, they hit the jackpot. T-Mobile admitted the unnerving details in this blog post where they stated:
- “We previously reported information from approximately 7.8 million current T-Mobile postpaid customer accounts that included first and last names, date of birth, SSN, and driver’s license/ID information was compromised. We have now also determined that phone numbers, as well as IMEI and IMSI information, the typical identifier numbers associated with a mobile phone, were also compromised.”
- “Additionally, we have since identified another 5.3 million current postpaid customer accounts that had one or more associated customer names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed.”
- “We also previously reported that data files with information from about 40 million former or prospective T-Mobile customers, including first and last names, date of birth, SSN, and driver’s license/ID information, were compromised.”
With full name and social security information for 53+ million T-Mobile users, this is a treasure trove of data for bad actors to exploit.
Hackers can utilize this information to carry out identity theft attacks, gain unauthorized access to accounts, launch phishing attacks, and also commit financial fraud against their targets.
In addition to carrying out attacks, the data from T-Mobile customers is also valuable for data brokers. There are numerous websites, both on the regular internet and on the so-called Dark Web, where one can buy and sell private data of individuals. And the market for this is massive.
One reason for today’s consumer alert is that there have been more reports about T-Mobile user data being sold online by cybercriminals. According to the New York Attorney General’s report,
Recently, a large subset of the information compromised in the breach was discovered for sale on the dark web — a hidden portion of the Internet where cyber criminals buy, sell, and track personal information. Many individuals received alerts through various identity theft protection services informing them that their information was found online in connection with the breach, confirming that impacted individuals are at heightened risk for identity theft.
How T-Mobile users should protect themselves
Unfortunately, once your private data is exposed to cybercriminals, there’s no getting it back. However, there are certain steps you can take to further protect yourself and mitigate damage from past data leaks.
First, you should keep a close eye on your financial accounts and credit score. If you notice any unauthorized or irregular activities, you should contact your financial institution immediately.
Cybercriminals will often leverage private data to gain access to other accounts and services. This goes beyond just identity theft and identity fraud and moves into the realm of inflicting serious long-term financial damage.
Another tip is to place a credit freeze on your credit report. This will prevent cybercriminals from being able to open new accounts in your name. To place a credit freeze, simply contact the three large credit bureaus:
- Equifax – https://www.equifax.com/personal/credit-report-services/credit-freeze
+1 (888) 766-0008 - Experian – https://www.experian.com/freeze/center.html
+1 (888) 397-3742 - TransUnion – https://www.transunion.com/credit-freeze
+1 (800) 680-7289
There are also data breach monitoring tools you can use. Some tools monitor in real-time. Others allow you to scan past breaches for personal information. For instance, the Have I Been Pwned database allows you to check if your information appears in any past breaches.
Lastly, we always recommend limiting the amount of data you share with third parties. When signing up for new services and products, keep as much of your information private as possible. Remember that every database that contains your private information is a potential data breach waiting to happen. Therefore the less data you provide, the better.
Really hacked me off and surprised me to receive that notification as well.
I haven’t been with tmobile for approximately 20 years. That was before I moved to the state I’m in now because they don’t offer service here.
So I was shocked….
Bummer. I’m already on a credit monitoring service because of another data breach ~5 years ago from my pharmacy.
Sven, can you do a post on the privacy of video conference companies? I have been trying to get people to switch to Jitsi (from Zoom), but all the info against Zoom is fairly old. Can it be trusted now? Also maybe include things like Telegram and Signal video calls. Thanks
It is impossible, or very nearly so, to use a California lifeline phone and avoid T-Mobile. This is Millions of people since covid happened! Being income based, a LOT of people who cannot afford to buy ‘lifelock’ type protection are in big trouble and likely don’t even know it.
This effects me, pretty irritated and T-Mobiles response was pathetic, this is like the 4th time they have been hacked in 2 years now? At what point do you just say they don’t even try to secure their customers data?
In the UK, there is no law that requires the Credit Reference Agencies to freeze an account at the request of the ‘customer’. They simply refuse to do so and continue collecting, processing and selling people’s data because they can. I’ve tried with the three agencies. All refuse.
I haven’t used ‘credit’ (to my knowledge), not taken loans, borrowings, ‘buy now, pay later’ options, or anything similar, yet in the UK system, it is currently impossible to stop the CRAs trading your data.
Sad. No surprises here. I smell a class-action lawsuit. This is going to really harm everyone involved in the breach, particularly those who are not on top of their cybersecurity game. Reminds me of the Equifax breach. They ended up paying out millions.