T-Mobile Breach Exposed the Personal Data of 54 Million Customers

The T-Mobile data breach in August 2021 was massive. Find out what data was stolen, what T-Mobile is doing to help customers affected by the breach, and how to protect yourself even if you are not a breach victim.

On August 15, 2021, the world first learned about the massive T-Mobile data breach. The disclosure came from a most unusual source — the hackers who pulled off the data heist. The cybercriminals told BleepingComputer that they hacked into T-Mobile’s production, staging, and development servers and stole the personal data of millions of T-Mobile customers. A day later, T-Mobile confirmed that its systems had indeed been attacked and some of its data stolen. Later updates revealed that the stolen data included personal information about T-Mobile and Metro by T-Mobile customers.

What Was Stolen

In the August 2021 data breach, hackers stole the personal data of more than 54 million past, present, and prospective T-Mobile customers. In addition, data about 52,000 current Metro by T-Mobile customers was taken.

The types of data stolen is a good news/bad news situation. First, the good news: No financial information was included. “We have no indication that personal financial or payment information, credit or debit card information, account numbers, or account passwords were accessed,” stated T-Mobile.

Now, the bad news: Highly sensitive ID numbers were taken, including Social Security and driver license numbers. “The exact personal information accessed varies by individual,” according to T-Mobile. “We have determined that the types of impacted information include: names, drivers’ licenses, government identification numbers, Social Security numbers, dates of birth, T-Mobile prepaid PINs (which have already been reset to protect you), addresses and phone number(s).”

In addition, International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI) numbers were stolen. IMSI numbers are used to identify the users of a cellular network, whereas IMEI numbers are used to identify the devices on a cellular network.

Hackers have put all the stolen data up for sale on the dark web.

What T-Mobile Is Doing to Help Customers

T-Mobile has already sent notifications to current customers involved in the data breach. Current customers who were not affected by the breach will see a banner on their MyT-Mobile.com account login page telling them so. At the time of this writing, T-Mobile is in the process of notifying former and prospective customers affected by the breach.

Besides letting customers know whether or not their data has been stolen, T-Mobile is:

• Offering data breach victims a two-year subscription to McAfee’s ID Theft Protection Service free of charge
• Recommending that all customers install and use T-Mobile’s free Scam Shield app
• Encouraging all customers to take advantage of T-Mobile’s free Account Takeover Protection service
• Suggesting other ways customers can protect themselves against identity theft and fraud (e.g., resetting their PINs and passwords)

T-Mobile set up a web page that provides links to these and other resources.

What Is Being Done to Prevent Another Attack

To prevent a similar attack in the future, T-Mobile conducted a forensic investigation of the data breach, with assistance from the cybersecurity firm Mandiant. The telecom giant has not disclosed too many details about the data breach since there is a criminal investigation underway. However, it did divulge that the cybercriminals gained access to the company’s IT network through the testing environment. They then used brute force attacks and other techniques to access the servers containing the customer data.

T-Mobile has closed the entry points that the hackers used to gain access to the various servers. It has also entered into long-term partnerships with Mandiant and KPMG, a cybersecurity consulting firm. “I am confident in these partnerships and optimistic about the opportunity they present to help us come out of this terrible event in a much stronger place with improved security measures,” said T-Mobile CEO Mike Sievert.

This help is sorely needed. The August 2021 incident is the fifth major data breach at T-Mobile in the last three years. Hackers stole the personal data of 2 million customers in November 2018. A year later an undisclosed number of customers using the company’s prepaid services had their personal information pilfered. Then, in March 2020, both customers and employees had their names, addresses, account numbers, and other data stolen. Nine months later roughly 200,000 customers had their phone numbers, call records, and other Customer Proprietary Network Information (CPNI) breached.

This disturbing trend coupled with the fact that T-Mobile violated the California Consumer Privacy Act is helping fuel lawsuits against the company. Two class-action lawsuits have already been filed, with many more likely to come.

Ways Everyone Can Protect Themselves

There is little you can personally do to stop cybercriminals from hacking into companies’ databases and stealing your personal data. However, there are measures you can take to minimize the damage if you find out you are a data breach victim:

• Monitor your accounts regularly for suspicious activity. Besides checking your monthly credit card and bank account statements, review your online service accounts (e.g., PayPal).
• Monitor your credit reports periodically. US citizens have the right to obtain free copies of their credit reports from Equifax, Experian, and TransUnion once a year. However, all three credit reporting bureaus have been offering free weekly online reports during the Coronavirus Disease 2019 (COVID-19) pandemic. To request them, go to com, the official website sanctioned by the US government’s Consumer Financial Protection Bureau.
• Place a fraud alert on your credit reports if you find out you are a data breach victim or you notice suspicious activity in one of your accounts. The fraud alert makes it harder for identity thieves to open accounts in your name, according to the US Federal Trade Commission. There is no fee for this service, which lasts a year. To place a fraud alert, you just need to contact one of the three credit reporting bureaus (Equifax, Experian, or TransUnion). That company must then tell the other two bureaus about the alert.

• Use a strong password or passphrase for each online service account you have. Do not use that password or passphrase for any other account.
• Use two-step verification (aka two-factor authentication) to protect your online service accounts if they offer this capability. Two-step verification provides an extra layer of protection against unauthorized access to those accounts.

T-Mobile flickr photo by JeepersMedia shared under a Creative Commons (BY) license