T-Mobile has confirmed a data breach affecting more than a million of its customers, whose personal data (but no financial or password data) was exposed to a malicious actor. The company alerted the affected customers but did not provide many details in its official account of the hack.
The company said in
its disclosure to affected users that its security team had shut down “malicious, unauthorized access” to prepaid data customers. The data exposed appears to have been:
Name
Billing address
Phone number
Account number
Rate, plan and calling features (such as paying for international calls)
The latter data is considered “customer proprietary network information” and under telecoms regulations they are required to notify customers if it is leaked. The implication seems to be that they might not have done so otherwise. Of course some hacks, even hacks of historic magnitude, go undisclosed sometimes for years.
In this case, however, it seems that T-Mobile has disclosed the hack in a fairly prompt manner, though it provided very few details. When I asked, a T-Mobile representative indicated that “less than 1.5 percent” of customers were affected, which of the company’s approximately 75 million users adds up to somewhat over a million.
The company reports that “we take the security of your information very seriously,” a canard we’ve asked companies to stop saying in these situations.
Stop saying, ‘We take your privacy and security seriously’