Yesterday I wrote a story about the T-Mobile had been pwned by hackers, and the potential that every T-Mobile customer might have been affected. Not only that, they way that they were handling it frankly sucked. I guess T-Mobile is feeling the heat as they came out with a statement confirming that they had been pwned. To save you the trouble of reading it, here’s the highlights:
While our investigation is still under way and we continue to learn additional details, we have now been able to confirm that the data stolen from our systems did include some personal information.
We have no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information.
Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.
Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.
Well, if you have first names, last names, dates of birth, SSN, and drivers license/ID information, you can likely pull off some pretty effective identity theft scams. And while the number of people affected according to the company amounts to just under 48 million past and present customers, that’s still pretty bad. And T-Mobile knows it while trying to downplay it at the same time:
As a result of this finding, we are taking immediate steps to help protect all of the individuals who may be at risk from this cyberattack. Communications will be issued shortly to customers outlining that T-Mobile is immediately offering 2 years of free identity protection services with McAfee’s ID Theft Protection Service.
You as a company don’t offer that up unless you know that the odds of your customers having issues with identity theft are pretty high.
To be clear, this is not the first time that they have been pwned. Let me list all the previous hacks:
- The theft of the details of 2 million customers in August 2018
- A hack involving the theft of prepaid customer data in November 2019
- The theft of employee and customer data in March 2020
- A “security incident” involving “malicious, unauthorized access” to some information related to T-Mobile accounts in January
Thus T-Mobile’s assurances mean little at this point as clearly their track record in terms of securing data sucks. Someone, like congress for example needs to slap this clowns silly and make an example of them because this level of pwnage is completely unacceptable.