T-Mobile Confirms Massive Data Breach krebsonsecurity.com

Joseph Cox, Vice:

T-Mobile says it is investigating a forum post claiming to be selling a mountain of personal data. The forum post itself doesn’t mention T-Mobile, but the seller told Motherboard they have obtained data related to over 100 million people, and that the data came from T-Mobile servers.

The data includes social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said. Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile customers.

Brian Krebs:

Und0xxed said the hackers found an opening in T-Mobile’s wireless data network that allowed access to two of T-Mobile’s customer data centers. From there, the intruders were able to dump a number of customer databases totaling more than 100 gigabytes.

They claim one of those databases holds the name, date of birth, SSN, drivers license information, plaintext security PIN, address and phone number of 36 million T-Mobile customers in the United States — all going back to the mid-1990s.

The hacker(s) claim the purloined data also includes IMSI and IMEI data for 36 million customers. These are unique numbers embedded in customer mobile devices that identify the device and the SIM card that ties that customer’s device to a telephone number.

Amy Thomson, Bloomberg:

T-Mobile US Inc. said an investigation confirmed about 7.8 million current users had information stolen along with more than 40 million records from past or prospective customers who’d applied for credit in a cyberattack.

The stolen information included customers’ full names, dates of birth, social security numbers, and IDs such as drivers licenses, the Bellevue, Washington-based company said in a statement on Wednesday. The hack doesn’t appear to have included credit card details or other financial information, it said.

Even though the number of affected accounts is lower than initially claimed, T-Mobile’s official statement acknowledges the leak is worse than originally thought because the dump also includes personal information from people who merely applied.

Here’s the kicker from Thomson’s article:

T-Mobile’s shares were little changed in New York trading on Tuesday. The stock has gained 4.3% this year.

Massive data breaches that compromise the identities of tens of millions of people? That does not move the needle for investor confidence. It is just another day.