T-Mobile last week notified prepaid customers who were hit by a data breach, which included unauthorized access to personal data and rate plan information.
A T-Mobile spokesperson said less than 1.5% of total T-Mobile customers were impacted by the incident, which was identified in early November by the operator’s cybersecurity team and corrected “immediately.” T-Mobile counted about 84.1 million total customers at the end of the third quarter 2019, including about 21 million prepaid, so roughly estimated, about 1.26 million customers could have been affected.
T-Mobile said the malicious, attack involved unauthorized access to prepaid service account information including name and billing address, phone number, account number, rate plan and features such as if a consumer added international calling to their service.
Importantly, T-Mobile said no passwords, financial data (including credit card information), or social security numbers were compromised. Under FCC rules, T-Mobile was required to notify customers impacted by the breach because rate plan and features of customers’ voice service are considered “customer proprietary network information (CPNI),” which according to T-Mobile is basically the information generated in connection with telecommunications services. Though not involved in the recent T-Mobile breach, CPNI also covers highly sensitive information like detailed records of who a customer has called or received calls from.
“Like any other company, T-Mobile is unfortunately not immune to this type of criminal attack,” said a T-Mobile spokesperson in emailed comments, echoing language on the carrier’s website. “We have a number of safeguards in place to protect personal information from unauthorized access, use, or disclosure. Fortunately, we discovered this activity quickly and shut it down immediately.”
At this point all affected customers should have been notified and the operator has encouraged users to confirm or update the personal pass code on their T-Mobile account as an added safeguard.
Consumer privacy and data garnered increased attention over the last year, when large-scale breaches surfaced, like the Cambridge Analytica mess that saw information from as many as 50 million Facebook profiles illicitly obtained by an abuse of the platform’s data-sharing features.
The wireless industry found itself in hot water after a wave of investigative reports revealed that major wireless carriers were selling customers’ location data to third-party data aggregators. The FCC this summer asked for proof from the four nationwide carriers that they had stopped the practice, following earlier pledges to do so.