T-Mobile Data Breach: How to Protect Your Customers from Identity Fraud

Estimated Reading Time: 5 Minutes

There are many news stories making headlines, but one in particular is catching a good deal of attention: T-Mobile’s data breach.

On August 16, T-Mobile issued a statement noting they were investigating claims that sensitive T-Mobile data had been illegally accessed and exposed on the dark web. The sophisticated cyberattack and subsequent data breach were verified the next day, with the company’s preliminary analysis confirming that a subset of current, former, and prospective customers’ first and last names, date of birth, Social Security number, and driver’s license/ID information were compromised in the breach. The preliminary analysis uncovered 7.8 million current T-Mobile postpaid customer accounts’ information as well as “just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile” were contained in the stolen files.

Additionally, the company confirmed that approximately 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were exposed. As a proactive measure, the company has reset all PINs on those accounts to help protect customers. T-Mobile also confirmed that “some additional information from inactive prepaid accounts [were] accessed through prepaid billing files;” however, no customer financial or payment information or Social Security numbers were contained in the inactive file. While the T-Mobile data breach investigation is still underway, the company stated that they “are confident that the entry point used to gain access has been closed.”

The SIM-Swapping Risk of the T-Mobile Data Breach

First reported by Motherboard, the seller of the stolen data claimed to have obtained customers’ physical addresses and unique IMEI numbers. IMEI, aka International Mobile Equipment Identity, is a 15-digit number unique to each device. These numbers are shared between phone carriers and manufacturers to enable tracking of smartphones that may be stolen or compromised. What’s more, IMEI numbers could offer some assistance to hackers attempting a SIM-swap attack. For many consumers, this type of attack is not as widely known so many aren’t aware of the risks or how to protect themselves from this particular cyberattack.

SIM swapping is a type of fraud that exploits cell phone carriers’ ability to “port” a number to a different device, which is typically done in instances where a customer has lost or had their phone stolen. By providing the right information – which can be obtained via a number of different methods, including phishing, hacking, or buying it on the black market – scammers can easily trick phone carrier representatives into doing exactly what they need. Once successful, the victim’s mobile phone then becomes unusable as it no longer has service, and the fraudster receives all calls and messages going forward. For SIM swap victims, this means that the fraudster can now access their bank account, social media accounts, email, and other sensitive accounts. Essentially, SIM swapping can easily transpire into many other types of fraud, including financial fraud, utilities fraud, tax fraud, and more.

How to Protect Yourself and Your Customers from Identity Fraud Following a Data Breach

Following a data breach, it’s important for any potentially impacted consumer to take necessary precautionary measures to help protect their personally identifiable information (PII) and sensitive financial data from identity fraud. As many companies do after experiencing a data breach, the mobile telecommunications giant is offering their customers 2 years of free identity protection services, as well as additional resources, which can be found detailed on their website.

It’s important to note that these post-breach protections are often provided for a specific amount of time, and scammers watch the headlines. Often, scammers will make note that consumers will have these extra protections for a number of weeks, months, or even years, and will mark the calendar waiting to use the stolen data. That’s why it’s imperative that your customers are educated about the risks of identity fraud and have “permanent” protections in place, including a comprehensive identity & cyber protection program from a reputable provider that they trust – like you.

Share the following data breach safety measures with your customers to help reduce their risk of fraud:

• Make monitoring activity on your financial and credit card accounts part of your routine.
• Set up two-factor authentication where available for extra security.
• Rethink the information you’re sharing online. With so much information leaked in breaches, hackers can piece together compromised information with the information you publicly share to create a holistic picture of your identity.
• Always use strong, long, and unique passwords, and don’t reuse passwords across multiple platforms, as this allows hackers to access multiple accounts when just one is breached.
• Be on the lookout for phishing emails. In the aftermath of any data breach, it’s common for those affected to receive an influx of phishing emails supposedly from the organization breached or other trusted service providers.
• Sign up for a comprehensive identity and cyber protection service that includes credit and identity monitoring if you haven’t already. Just be aware that not all monitoring services will protect you equally, so make sure you find a service with powerful monitoring capabilities and 24/7/365 full-service, expert resolution assistance should you ever find yourself the victim of fraud.
• Comprehensive identity monitoring services should utilize automated monitoring and human threat intelligence for its internet surveillance (surface, deep, and dark web) and compromised credential monitoring. Monitoring should also include alerts so that if your information is detected, you can quickly assess and work with resolution experts to minimize any impact.

Some recommended information to monitor includes:

• Social Security number
• Email addresses
• Date of birth
• Debit/credit card numbers
• Bank account numbers
• High-risk transactions
• Insurance card/policy number
• Drivers’ license number
• Loyalty card numbers
• Passport number