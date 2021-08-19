The names, Social Security numbers and information from driver's licenses or other identification of just over 40 million people who applied for T-Mobile credit were exposed in a recent data breach, the company said Wednesday.

The same data for about 7.8 million current T-Mobile customers who pay monthly for phone service also appears to be compromised. No phone numbers, account numbers, PINs, passwords or financial information from the nearly 50 million records and accounts were compromised, it said.

T-Mobile has been hit before by data theft but in the most recent case, "the sheer numbers far exceed the previous breaches," said Gartner analyst Paul Furtado.

T-Mobile, which is based in Bellevue, Wash., became one of the country's largest cellphone service carriers, along with AT&T and Verizon, after buying rival Sprint last year. It reported having a total of 102.1 million U.S. customers after the merger.

"Yes, they have a big target on their back but that shouldn't be a surprise to them," Furtado said. "You have to start questioning the organization. How much are they actually addressing these breaches and the level of seriousness?"

T-Mobile also confirmed Wednesday that approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were exposed. The company said that it proactively reset all of the PINs on those accounts. No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed.

There was also some additional information from inactive prepaid accounts accessed through prepaid billing files. T-Mobile said that no customer financial information, credit card information, debit or other payment information or Social Security numbers were in the inactive file.

On Monday, the company disclosed that hackers had gained access to its computer networks, but had not yet determined whether personal data had been stolen or how many customers were affected. T-Mobile said it would reach out to customers and offer two years of identity protection services, and recommended that subscribers with postpaid plans change their pins.

"We take our customers' protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack," the company said.

Motherboard first reported on the breach, following posts on a Web forum offering to sell the private data.

The company said Monday that it had confirmed there was unauthorized access to "some T-Mobile data" and that it had closed the entry point used to gain access. "If you were affected, you'll hear from us soon," Chief Executive Officer Mike Sievert tweeted in response to a concerned customer Tuesday.

The company now says it will immediately offer two years of free identity protection services and is recommending that all of its postpaid customers -- those who pay in monthly installments -- change their PIN. Its investigation is ongoing.

SERIES OF BREACHES

T-Mobile has previously disclosed a number of data breaches over the years, most recently in January and before that in November 2019 and August 2018, all of which involved unauthorized access to customer information. It also disclosed a breach affecting its own employees' email accounts in 2020. And in 2015, hackers stole personal information belonging to about 15 million T-Mobile wireless customers and potential customers in the U.S., which they obtained from credit reporting agency Experian.

"It's a real indictment on T-Mobile and whether or not these customers would want to continue working with T-Mobile," said Forrester analyst Allie Mellen. "Ultimately T-Mobile has a lot of really sensitive information on people and it's just a matter of luck that, this time, the information affected was not financial information."

She said the hack didn't appear particularly sophisticated and involved a configuration issue on a server used for testing T-Mobile phones.

"There was a gate left wide open for the attackers and they just had to find the gate and walk through it," Mellen said. "And T-Mobile didn't know about the attack until the attackers posted about it in an online forum. That's really troubling and does not give a good indication that T-Mobile has the appropriate security monitoring in place."

VULNERABILITIES EXPOSED

The breach comes after a string of high-profile cyberattacks that refocused attention on the threats posed by digital intrusions, underscoring both the vulnerability of sensitive data and the damage that malicious actors can inflict beyond the theft of personal information.

This spring, a ransomware attack on Colonial Pipeline disrupted the East Coast's fuel network, setting off panic buying and temporary gasoline shortages across several states. Weeks later, a cyberattack targeting the world's largest meat supplier, JBS, threatened to knock out significant pieces of its global meat supply network, sparking concern over potential shortages and higher beef and pork prices.

The hacking of critical pieces of infrastructure highlighted the rising threats to government agencies, civil society groups and corporations, all of which increasingly rely on networked computer systems to operate.

Lawmakers have taken notice. As part of the bipartisan $1 trillion infrastructure proposal, U.S. Senate negotiators have included cybersecurity investments, reflecting the heightened sense that computer attacks could devastate entire communities. The bill would authorize nearly $2 billion in spending for cybersecurity initiatives.

Information for this article was contributed by Matt O'Brien of The Associated Press and by Hamza Shaban of The Washington Post.