T-Mobile has disclosed further details regarding its recent data breach, and while the numbers don’t quite match the rumoured 100 million records, they’re nonetheless impressive.
While the inquiry is still ongoing, the corporation revealed that over 40 million “former or potential customers” who had previously applied for credit, as well as 7.8 million “postpaid customers” (those who presently have a contract), had their information taken. T-Mobile stated in its most recent earnings report (PDF) that it has over 104 million users.
The stolen files contained sensitive personal information such as first and last names, dates of birth, Social Security numbers, and driver’s license / ID numbers, which could be used to open a new account or hijack an existing one in someone else’s identity. It didn’t appear to contain “phone numbers, account numbers, PINs, or passwords.”
That’s not all; the hack also affected over 850,000 prepaid T-Mobile users, who had their personal information exposed, including “names, phone numbers, and account PINs.” Affected clients’ PINs have already been reset, and they will be notified “straight away.” For inactive prepaid accounts, undisclosed information was also accessed. “No customer financial information, credit card information, debit or other payment information, or SSN existed in this inactive file,” according to T-Mobile.
T-warning Mobile includes boilerplate wording like “We take our customers’ security extremely seriously,” but it rings hollow given that this is at least the fourth data breach revealed in the last several years, including one in January. The investigation began after someone claimed in an online forum that they had hacked T-servers, Mobile’s according to the company’s statement.
T-announcement Mobile does not confirm that the hack affected all 100 million users and includes IMEI / IMSI data for 36 million consumers that could uniquely identify specific devices or SIM cards, as alleged by a Twitter account selling stolen data.
T-Mobile says it will establish a dedicated website with information for users later today. It’s giving away two years of free McAfee identity protection, advising postpaid customers to reset their PIN, and touting its Account Takeover Protection capabilities to thwart SIM-swapping attacks.