The names, birthdays and Social Security numbers of millions of T-Mobile US customers were stolen by hackers, the cellphone carrier said Tuesday as it continues to investigate a data breach disclosed earlier this week.
Bellevue-based T-Mobile confirmed that perpetrators behind a cyberattack accessed personal information tied to about 7.8 million current subscribers, as well as records of 40 million people who previously applied for credit with the company. The stolen data included first and last names and driver’s license information, but T-Mobile said it has no indication that the accessed files contained financial information.
“Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers,” T-Mobile said in a statement published on its website Tuesday.
On Monday, the company disclosed that hackers had gained access to its computer networks, but had not yet determined whether personal data had been stolen or how many customers were affected. T-Mobile said it would contact customers and offer two years of identity protection services, and recommended that subscribers with postpaid plans change their PINs.
Though the company’s preliminary analysis offered a sense of the cyberattack’s scale, T-Mobile did not disclose how hackers accessed its systems or who was behind the breach.
“We take our customers’ protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack,” the company said.
Motherboard first reported on the breach, following posts on a Web forum that claimed to be offering to sell the private data.
The breach follows a string of high-profile cyberattacks that refocused attention on the threats posed by digital intrusions, underscoring the vulnerability of sensitive data and the damage malicious actors can inflict beyond the theft of personal information.
This spring, a ransomware attack on Colonial Pipeline disrupted the East Coast’s fuel network, setting off panic buying and temporary gasoline shortages across several states. Weeks later, a cyberattack targeting the world’s largest meat supplier, JBS, threatened to knock out significant pieces of its global supply network, sparking concern over potential shortages and higher beef and pork prices.
The hacking of critical pieces of infrastructure highlighted the rising threats to government agencies, civil society groups and corporations, all of which increasingly rely on networked computer systems to operate.
Lawmakers have taken notice. As part of the bipartisan $1 trillion infrastructure proposal, Senate negotiators have included cybersecurity investments, reflecting the heightened sense that computer attacks could devastate entire communities. The bill would authorize nearly $2 billion in spending for cybersecurity initiatives, including a $1 billion grant program to provide federal cybersecurity assistance to state and local governments, which experts say are among the most vulnerable institutions to ransomware attacks, in which hackers break into computer systems and then demand a ransom to restore access to the victim.
The bill also would fund a new cyber director office, allowing the federal government to better coordinate its response to major hacks, and would establish a $100 million response fund, which officials could use to help agencies and companies recover from cyberattacks.
Even as ransomware attacks have increasingly captured public attention, cybercriminals continue to steal and sell data through more straightforward means, and may prefer to do so precisely because of the unwanted attention that would come with disrupting a large communications service like T-Mobile, said Allie Mellen, an analyst at Forrester Research.
T-Mobile said that its cyberattack probe is still underway and that it is coordinating with law enforcement. The company said earlier this week it had located and immediately closed the access point it thinks hackers used to breach its servers.
Cybercriminals have targeted T-Mobile in the past. In 2019, the company said that they accessed the data of some prepaid wireless accounts, including names, phone numbers and billing addresses, but that no financial information was compromised.
Though the cost of the breach to T-Mobile is not yet clear, IBM Security estimates that companies spent $4.2 million, on average, on such incidents in 2021. But that figure increases drastically for so-called mega breaches, when more than 50 million records are compromised.