This week, wireless carrier T-Mobile US confirmed reports of a major data breach in which hackers obtained personal information belonging to more than 40 million past, present and potential customers. For some people, that means their full names, date of birth, Social Security numbers and even information from their driver’s licenses are being shopped around online in exchange for a few bitcoin.
Unfortunately, dealing with data breaches is nothing new for the Bellevue-based company — or its customers.
For those keeping count, this is the fifth such incident the wireless carrier has suffered in the past three years, but according to Allie Mellen, a security and risk analyst at Forrester Research, this is “the worst breach they’ve had so far.”
T-Mobile declined to comment on what other types of data could have been accessed during the breach, how many people had all of their sensitive information taken, or whether it has started notifying affected individuals, but it did encourage customers to visit a new webpage meant to help secure those people against “cybersecurity threats.”
The company’s suggestions are a start, but if you’re concerned that your time with T-Mobile — past or present — has left your personal information vulnerable, here are a few things you should consider doing right now.
— Change your password and PIN. T-Mobile suggests you do this, and the experts we talked to agree — changing your account password and PIN should be one of the first things you do. That’s because the personal information made available through the data breach can give an attacker almost everything they need to gain access to your T-Mobile account. (This is especially true for 850,000 of the company’s prepaid phone customers, who had their account PINs leaked alongside their names and phone numbers.) And once an attacker has access to one of your accounts, more are likely to follow.
“The data that identity thieves want today tends more often than not to be logins and passwords,” said James E. Lee, chief operating officer at the Identity Theft Resource Center. “They want credentials, because that’s what they can use to break into other systems.”
— Freeze your credit. Some of the deeply personal data made available through this data breach could be a gold mine for attackers who want to make use of your credit. That’s why personal finance and identity theft expert Adam Levin says affected customers should freeze their credit reports. You’ll have to contact each of the three major credit bureaus — Equifax, Experian and TransUnion — with your requests, but freezing your credit is completely free, doesn’t affect your credit score, and prevents anyone with your personal information (including you) from opening new lines of credit without securely “thawing” everything first.
Lee couldn’t agree more, noting that freezing your credit is “the most important thing you can do that is preventive” and that there’s little downside to it.
To learn more or to get started freezing your credit reports, check out the Equifax, Experian and TransUnion websites.
— Rethink two-factor authentication. If you’re even mildly security-conscious, you might already have two-factor authentication enabled on some of your online accounts — and that’s good thinking. Here’s the rub, though: If you’re concerned your data has been compromised as part of this breach, it might be time to rethink how you use 2FA.
Let’s say an attacker manages to obtain your name, date of birth and Social Security number — if they luck out and find your address and reused password in other data dumps, that might be enough to give them access to your T-Mobile account. If that happens, you could be vulnerable to what’s called a SIM-swap attack, in which the hacker manages to switch control of your phone number to a phone they control. That’s definitely bad, but what could make it worse is if the verification codes sent by services like Amazon, Twitter and many banks are delivered via text message. In that case, the keys to your online kingdom could be ferried straight to someone else.
One possible fix: Lee suggests using whenever possible authenticator apps from companies like Google and Microsoft that live directly on your phone. “Just having the text or the email that goes to the device is not as secure as having that authenticator app,” he said. “We always recommend to consumers that they use that, and to businesses that they offer that.”
T-Mobile’s investigation is only really getting started. But hopefully the company’s next updates will give us all a better sense of the attack’s scope, and how best to respond.
With any luck, T-Mobile will also get around to answering some lingering questions. Here’s one that still hasn’t been answered: The first Motherboard story that highlighted the breach noted that the hacker(s) had obtained IMEI numbers — long strings of digits unique to each phone sold — in addition to the rest of the personal information we’ve discussed so far. Meanwhile, T-Mobile’s statements don’t mention them at all. So were they leaked or not? This matters quite a bit, because IMEI numbers can be blacklisted if the device they’re attached to is reported stolen. Theoretically, that means an attacker might be able to at least temporarily prevent you from using your phone by using other leaked information to access your account and reporting your IMEI as lost.