NEW YORK TIMES — A cyberattack on T-Mobile exposed the information of more than 40 million people, with stolen files including names, birthdays and social security numbers, the company said on Tuesday.
The mobile service provider said in a statement that it had been investigating the data breach since last week, when it was “informed of claims made in an online forum that a bad actor had compromised T-Mobile systems.”
The company said the stolen files included information from approximately 7.8 million current T-Mobile accounts, as well as records of more than 40 million former or prospective customers who had applied for credit with the company.
Some of the exposed data included customers’ first and last names, social security numbers, driver’s license and other information, T-Mobile said. It also included the PINs of about 850,000 active prepaid customers.
The company said it would reset PINs for those prepaid customers, and urged other customers to change their PINs as well. It added that it would create a website to “help customers take steps to further protect themselves.” T-Mobile said that no phone numbers, account numbers or passwords were compromised for current or prospective customers, and that there was no indication that financial, credit card or other payment information had been stolen. The company said it had “immediately closed” the access point in its computer system that it believed was targeted by the cyberattack.
T-Mobile announced it was investigating claims that data was “illegally accessed” on Monday, a day after Vice reported that a vendor in an online forum was trying to sell $270,000 worth of stolen information obtained from T-Mobile servers. The mobile company confirmed on Tuesday that customer data was affected.
T-Mobile, like other major corporations, has struggled to stave off hackers and prevent data breaches. In 2018, T-Mobile suffered a security breach that compromised personal information of as many as two million customers, including phone numbers, email addresses and account numbers. In 2019, the company’s email vendor was hacked, revealing some customer and employee personal information.
In response to the breach, the company said it would offer two years of free identity protection services. T-Mobile did not immediately respond to questions about updates to its security systems.
The breach was just one of many cracks in cybersecurity across multiple industries exposed in recent years. Experts repeated concerns on Wednesday that, more and more, companies and institutions do not have the necessary security protocols in place to protect sensitive information.
Recent cyberattacks around the world have taken down operations at gasoline pipelines, hospitals and grocery chains, and have potentially compromised some intelligence agencies. Large financial companies face hundreds of thousands of cyberattacks every day, and sometimes fail to stop them.
“The security programs most companies have are just struggling to keep up,” Daniel Miessler, an information security expert and tech writer in San Francisco, said in an interview. He added that, given the complexity of running a major telecom business and the difficulty in keeping data secure, he was surprised the public did not see more major breaches more often.
Yuan Stevens, a researcher at Ryerson University in Toronto who has studied the 2018 T-Mobile breach, said that the company’s system of handling security complaints put the onus on consumers to keep their information safe.
“I do not think it’s on the individual to protect their data,” Ms. Stevens said. “We should not have to opt out of using services in order to protect ourselves. Instead institutions should be responsible for protecting consumer data.”
Companies that collect information that can be sold on black markets, like consumer data, will always be susceptible to hacks, said Cherise Esparza, a co-founder of SecurityGate, a cybersecurity firm. But most companies tend to address blind spots retroactively, or scramble to defend themselves only after a competitor suffers a hack.
“People are starting to see their peers getting hacked, and they don’t want to be in the news,” Ms. Esparza said. But she added that, for many companies, data security drifted as a priority.