T-Mobile suffered a major data breach in August 2021 that affected the private data of 53+ million users. Today, we are seeing reports of identity theft among T-Mobile users as well as T-Mobile user data being sold on the Dark Web. These events have prompted the New York Attorney General to issue a consumer alert warning T-Mobile users of the heightened risks.
Update: Numerous other state attorney generals from California, Washington, Delaware, and more, are also urging people to be on alert for identity theft and fraud as a result of T-Mobile’s 2021 data breach.
Are you a T-Mobile customer? If so, your private data may be up for sale on the Dark Web, putting you at heightened risk for identity theft, phishing attacks, and financial fraud.
Earlier today, the New York Attorney General’s office issued an urgent consumer alert warning T-Mobile users (both past and present) about the heightened risks of identity theft and fraud. New York Attorney General Letitia James issued this warning in a press release:
I have an urgent message for T-Mobile customers and other consumers: Be aware of any misuse of your personal information and follow the guidance provided by my office to protect yourself from identity theft.Consumer Alert from New York Attorney General Letitia James
Information stolen in a massive data breach has fallen into the wrong hands and is circulating on the dark web. The guidance offered by my office can help prevent identity theft. I advise all New Yorkers to maintain their financial safety by following the guidance my office has laid out. No consumer should have to deal with the devastating realities of identity theft.
To put these events into context, we need to first look back at what happened with T-Mobile last year.
August 2021: T-Mobile admits massive security incident
Private data is extremely valuable to cybercriminals. Back in August 2021, they hit the jackpot. T-Mobile admitted the unnerving details in this blog post where they stated:
- “We previously reported information from approximately 7.8 million current T-Mobile postpaid customer accounts that included first and last names, date of birth, SSN, and driver’s license/ID information was compromised. We have now also determined that phone numbers, as well as IMEI and IMSI information, the typical identifier numbers associated with a mobile phone, were also compromised.”
- “Additionally, we have since identified another 5.3 million current postpaid customer accounts that had one or more associated customer names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed.”
- “We also previously reported that data files with information from about 40 million former or prospective T-Mobile customers, including first and last names, date of birth, SSN, and driver’s license/ID information, were compromised.”
With full name and social security information for 53+ million T-Mobile users, this is a treasure trove of data for bad actors to exploit.
Hackers can utilize this information to carry out identity theft attacks, gain unauthorized access to accounts, launch phishing attacks, and also commit financial fraud against their targets.
In addition to carrying out attacks, the data from T-Mobile customers is also valuable for data brokers. There are numerous websites, both on the regular internet and on the so-called Dark Web, where one can buy and sell private data of individuals. And the market for this is massive.
One reason for today’s consumer alert is that there have been more reports about T-Mobile user data being sold online by cybercriminals. According to the New York Attorney General’s report,
Recently, a large subset of the information compromised in the breach was discovered for sale on the dark web — a hidden portion of the Internet where cyber criminals buy, sell, and track personal information. Many individuals received alerts through various identity theft protection services informing them that their information was found online in connection with the breach, confirming that impacted individuals are at heightened risk for identity theft.
How T-Mobile users should protect themselves
Unfortunately, once your private data is exposed to cybercriminals, there’s no getting it back. However, there are certain steps you can take to further protect yourself and mitigate damage from past data leaks.
First, you should keep a close eye on your financial accounts and credit score. If you notice any unauthorized or irregular activities, you should contact your financial institution immediately.
Cybercriminals will often leverage private data to gain access to other accounts and services. This goes beyond just identity theft and identity fraud and moves into the realm of inflicting serious long-term financial damage.
Another tip is to place a credit freeze on your credit report. This will prevent cybercriminals from being able to open new accounts in your name. To place a credit freeze, simply contact the three large credit bureaus:
- Equifax – https://www.equifax.com/personal/credit-report-services/credit-freeze
+1 (888) 766-0008
- Experian – https://www.experian.com/freeze/center.html
+1 (888) 397-3742
- TransUnion – https://www.transunion.com/credit-freeze
+1 (800) 680-7289
There are also data breach monitoring tools you can use. Some tools monitor in real-time. Others allow you to scan past breaches for personal information. For instance, the Have I Been Pwned database allows you to check if your information appears in any past breaches.
Lastly, we always recommend limiting the amount of data you share with third parties. When signing up for new services and products, keep as much of your information private as possible. Remember that every database that contains your private information is a potential data breach waiting to happen. Therefore the less data you provide, the better.