Breach Notification , Incident & Breach Response , Security Operations

T-Mobile Alerts Customers to New Breach

Compromised Information Includes Phone Numbers and Call-Related Information
T-Mobile Alerts Customers to New Breach

T-Mobile on Tuesday began informing a portion of its customers that some of their mobile phone account information may have been compromised in a data breach that took place in early December.

See Also: Live Webinar | Software Security: Prescriptive vs. Descriptive

A company spokesperson tells Information Security Media Group that about 0.2%, or around 200,000, of its mobile customers were involved in an incident during which phone numbers, number of lines subscribed to and, in a small number of cases, some call-related information collected as part of normal operation and service may have been accessed.

"Our cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account. We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers," the T-Mobile notification says.

T-Mobile did not define the call-related information that was accessed or say how the data breach took place, but says the investigation is continuing. It also noted that other personally identifiable information that it stores was not affected.

"The data accessed did NOT include any names associated with the account, financial data, credit card information, social security numbers, passwords, PINs or physical or email addresses," the spokesman says.

On Tuesday, the company began notifying the affected customers of the situation by text.

T-Mobile also reported data breaches in March, November 2019 and August 2018.

The Information Involved

T-Mobile explains in its notification that its customer proprietary network information, or CPNI, as defined by the Federal Communications Commission rules, was accessed. The FCC requires all telecommunications carriers and interconnected providers of VoIP services to protect this data.

"CPNI includes some of the most sensitive personal information that carriers and providers have about their customers as a result of their business relationship (e.g., phone numbers called; the frequency, duration, and timing of such calls; and any services purchased by the consumer, such as call waiting)," the FCC says.

The FCC requires carriers and providers to file annual reports to certify their compliance with the CPNI rules, and failure to protect the data can lead to fines.

T-Mobile Sprint Merger

T-Mobile and Sprint completed their $26 billion merger on April 1, with the two companies combining under the T-Mobile brand. The deal, which was initiated in 2018, included the replacement of T-Mobile's longtime CEO John Legere with Mike Sievert.

In its financial statement for the third quarter of 2020, which ended Oct. 31, the combined company reported having 100.4 million customers, with revenues of $19.3 billion.


About the Author

Doug Olenick

Doug Olenick

News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to joining ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.