Numerous T-Mobile customers tweeted on X last night that they were able to see other people’s personal customer information on their accounts. A source told Fierce Wireless that when he logged into his T-Mobile account, he saw other people’s names, lines, billing history, addresses, call logs and saved payment methods.
“This is pretty horrifying especially under no circumstances should any modern platform be storing, let alone displaying, raw card information,” said the source.
The security breach seems to have started around 11:30 pm Pacific Time on Tuesday, September 19, and T-Mobile appeared to have finally disabled online access for all customers at about 2:30 am Pacific Time today.
Here are a few examples of customer tweets:
Fierce Wireless reached out to T-Mobile and will update this story if the carrier responds. **Update, shortly after this story published, T-Mobile said, "This was not a breach and was a technology issue. We'll come back to you with more." ***2nd Update from T-Mobile: "There was no cyberattack or breach at T-Mobile. This was a temporary system glitch related to a planned overnight technology update involving limited account information for fewer than 100 customers, which was quickly resolved."
“After what happened with Dish, nobody in the wireless industry lives in anything other than a glass house when it comes to information security,” said the Fierce Wireless source, referring to a hack of Dish Network early this year.
In February Dish suffered a cybersecurity incident that affected its internal communications, customer call centers and internet sites. And some data was extracted from its IT systems.
It may be too early to tell whether last night’s security breach at T-Mobile was an internal problem or the result of some sort of external breach, but either way it’s irrelevant to customers whose personal financial information has been exposed.
This isn’t the first security breach for the Un-Carrier. About two years ago, in August 2021, T-Mobile revealed that more than 50 million people – including current, former, and prospective customers – had some of their personal data stolen. Customers’ first and last names, date of birth, Social Security numbers and driver’s license/ID information were among the items that were stolen.
Today, it’s not clear who’s in charge of security at the company. Recently, Néstor Cano‘s title became Chief Information and Digital Officer. But there is not a senior executive with the title of Chief Security Officer.