T-Mobile’s investigation into claims of a massive data breach determined around 48.65 million people – including current, former, and prospective customers – had personal data stolen.
In an update posted on the carrier’s website overnight, T-Mobile confirmed some of the data hacked included customers’ social security number, first and last names, date of birth, and driver’s license/ID information for postpaid (current and former) customers and prospective.
While the investigation is still ongoing, T-Mobile said it has “no indication data contained in the stolen files” involved any customer financial, including credit and debit card, or other payment info.
T-Mobile said around 7.8 million active postpaid customers accounts’ information was taken, as well as “just over 40 million” former or prospective customers who applied for credit with the carrier. Financial information, phone numbers, account numbers, PINs or passwords for those users don’t appear to have been breached.
T-Mobile confirmed that around 850,000 current T-Mobile prepaid customers names, phone numbers and account PINs were leaked in the breach. The carrier has reset all PINs on the exposed accounts and will be notifying customers. No customers of other related prepaid brands, Metro by T-Mobile, former Sprint prepaid, or Boost Mobile had names or PINs stolen.
Hackers also accessed information from inactive prepaid accounts via prepaid billing files, which did not include financial, credit card, debit or other payment info, or social security numbers.
T-Mobile had already closed the access point where the carrier thinks hackers were able to gain access to T-Mobile servers. In addition to resetting prepaid PINs, T-Mobile is recommending all postpaid customers proactively change their PIN, either online through their account or calling the T-Mobile customer care team. The carrier said it’s immediately offering two years of free identity protection services with McAfee’s ID Theft Protection service.
T-Mobile said it started an investigation right after it was first notified late last week about claims in an online forum about compromised customer data. Vice’s Motherboard over the weekend shed light on claims, reporting about the sale of personal data in an underground online forum, with the hacker telling the outlet information was taken from T-Mobile servers and involved records for 100 million people.
By Monday evening, T-Mobile had confirmed a data breach but not the scale or nature of information taken.
While T-Mobile’s latest update is less than the reported 100 million, it still represents a massive breach with sensitive personal customer data.
In a Wednesday note to investors, New Street Research analysts said they didn’t know what liability T-Mobile might face for the breach, but said it was reminiscent of Equifax where about 163 million people across both the U.S. and U.K. were impacted by a similar hack and resulted in fines of up to $700 million for the company.
“On similar math, T-Mobile’s leak of roughly 50MM customers would result in a fine of around $215MM,” wrote the analysts led by Jonathan Chaplin.
The firm also noted a sharp stock drop of $4 per share when the news was announced, for a loss of $5.3 billion market cap – which the analysts think represent expectations for a fine along with the loss of value as consumers would be less likely to become a T-Mobile customer because of the breach.
“If the fine was expected to be $700MM when the number of customers effected wasn’t known, the loss of $5.3BN in value seems to imply that T-Mobile will have 1-2MM fewer customers as a result of the reputational damage inflicted by the breach,” wrote Chaplin. “This strikes us as extreme.”
T-Mobile has been seen as the current front-runner in 5G, with a big head start over AT&T and Verizon on mid-band spectrum (offering both coverage and capacity) from 2.5 GHz it got from the Sprint merger – which also bumped it to the No.2 carrier position by subscribers. T-Mobile has continued to have big quarters of adding subscribers, including the most recent second quarter when it added 1.3 million postpaid subscribers, including 627,000 postpaid net phone adds.
This isn’t the first time T-Mobile was hit by data breach, including 2019 when an attacker gained unauthorized access to prepaid customers’ service account info, affecting around 1.5% of the carrier’s customers. No financial data, passwords or social security numbers were compromised in that attack. In 2018, T-Mobile said around 3% of its customer base, or about 2 million users had their account data hacked by an unknown international entity.