T-Mobile Investigating 100 Million Subscriber Data Breach

from the whoops-a-daisy dept

Another day, another massive privacy scandal. T-Mobile is purportedly investigating a massive data breach that may have revealed the personal data of more than 100 million subscribers. First reported by Motherboard, the stolen data recently popped up on underground hacker forums, and includes subscriber social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver license information. Motherboard confirmed the data is genuine, and noted that the seller is asking $270,000 for a small subset of the data:

“On the underground forum the seller is asking for 6 bitcoin, around $270,000, for a subset of the data containing 30 million social security numbers and driver licenses. The seller said they are privately selling the rest of the data at the moment.”

For years companies and some policymakers have soothed themselves with the belief that data collection of this scale isn’t a big deal because data is “anonymized.” But there’s been a steady parade of studies showing how it’s relatively trivial to identify users with just a small portion of additional data. The more data that’s just bouncing around in the wild, the easier it gets. And with a bevy of hacks and leaks like this one, it just gets simpler.

T-Mobile has just around 105 million wireless subscribers, meaning this hack could involve… pretty much all of them. Meanwhile consumers have yet to be informed because T-Mobile has yet to fully confirm the hack even happened, or provide any additional information:

“T-Mobile said in a statement to Motherboard that “We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time.” T-Mobile repeatedly declined to answer follow-up questions about the scale of the breach.”

You know, just another day in a country with no meaningful internet-era privacy protections.

Filed Under: ,
Companies: t-mobile

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “T-Mobile Investigating 100 Million Subscriber Data Breach”

Subscribe: RSS Leave a comment
Annonymouse says:

Re: Encryption?

Banks, we’ll the not lazy ones anyways, subdivide user data into seperat databases on independent drives on different servers.

I remember one branch didn’t and compounded the error by not wiping that one HDD before liquidation.
Poop hit the fan when the reseller discovered the files and reported it. Head office came down like a ton of cement as did the ministry.

TaboToka (profile) says:

Re: Re: Encryption?

Banks, we’ll [sic] the not lazy ones anyways, subdivide user data into seperat[e] databases on independent drives on different servers.

This is the direction they should all go. Specifically, the sensitive data (SSN, DL, all other PII) should each be stored in its own table, encrypted and protected with access controls, stored procedures and triggers to only allow access in authorized ways and by authorized accounts.

If implemented correctly, it should not be possible to do something like SELECT ssn FROM ssns; (i.e., it would fail if more than one record was returned), and a plain old SELECT * FROM users WHERE ID='c2b10e7f-2739-4701-b50b-9f837d7eadb8'; should not contain any PII.

Anonymous Coward says:

Re: Encryption?

It’s legitimately hard to encrypt much of this data in any useful way. There are too many people that need access. Phone numbers need to be used all over the network. Names and addresses for billing, and for lookup by any minimum-wage store clerk. Driving licenses could maybe be encrypted such that only a small number of backoffice staff could read them. SSNs should in theory be treated like that, but is part of the data they want to share with credit bureaus (along with name, address, date of birth).

The best we’ll get, realistically, is better audit trails and better protection against bulk export. Maybe the customer service people will only be allowed 20 lookups a day, or they’ll need manager approval for no-phone-present lookups. Still, there will be at least tens of people with access to a huge database of everyone.

My guess is that T-Mobile won’t be punished. They should be, though, which might push companies to treat personal data like the toxic waste it is. Just this week, an idea called Pretty Good Phone Privacy (PDF paper) was in the news. It’s a way to run a phone network while collecting basically no data on subscribers—notably, no location data. The network only gets an anonymous proof that you paid for service. It’s unlikely to be legal everywhere: even some countries that claim to value privacy require their telcos to collect and store photo ID from subscribers (the USA, though, isn’t one of them—the authors believe it would be allowed).

ECA (profile) says:

Re: Encryption?

Still got Q: about all these break-ins.
What OS are they using?
What protections?

Even Cheap/easy protections arnt hard to create. Even under windows.

With that said,
I wonder how much the person IN THE COMPANY, thinks they will get. The list is huge of the break-ins, and thinking that All our personal data is out in the wild is very interesting.
Privacy has only 1 group that Really want it. Its the banks. With the right data you can take over anyone’s accounts. You can make credit cards. You can have a revenge thing going to tear a company apart.

And something iv said before. You can now contest anything the bank has on your record, that is recent. No one checks the signatures anymore, its to be AUTOMATED so there is no handling by the resellers.
Then we get to the idea of ‘what can the banks do, to prove Who is using your cards/data’.
Between chips and tattoo’s, which can ALSO be copied by semi smart people. Why dont we go back to the old ways? Because we Think automation saves money. Gets rid of all the middlemen, but still costs money to the reseller.

charliebrown (profile) says:


You do realize that, if the last few years are anything to go by, this breach will have been twice as big as first reported. Now you can’t have 200 million subscriber’s data breached if you only have 105 million subscribers, so I’d guess that all 105 million subscribers have been compromised.

By the way, I still have a Yahoo! account. Not sure why, but I do. And I’ve had (and used) it since 2005.

That Anonymous Coward (profile) says:

I look forward to people managing to get another 1000 years of "free *" credit monitoring as compensation.

The only way this will ever change is if some gray hats managed to compile the breached data about members of Congress & go to town with it.
They live in this magical bubble where they pretend everyone is treated like they are, ignoring they are pampered like the CEO’s are.

Imagine if MTG had to deal with the archaic system we all face when some corporation didn’t actually take our privacy seriously. In between her trying to blame the Space Jews & Obama, they might actually pass some rules to actually punish these corporations who refuse to spend a single dime on securing their systems after seeing hundreds of breaches & thinking it will never happen to them.

Social security numbers were never meant to become what they are today, perhaps it is time to demand better. I mean they FINALLY took SS numbers off of medicare cards & now use a unique identifier to try and stop fraud. SS numbers are like bluetooth, it was a nice idea but don’t use it for important things.

Ceyarrecks (profile) says:

No Kidding,...

The more data that’s just bouncing around in the wild, the easier it gets.

It was quite anticipated, when companies began outsourcing ALL of their Customer "Service" calls to India, that not too much time passed when it was discovered that customer’s information was lost to/in those in India.

Not to single out India, for any OCONUS storage of one’s jewels, the greater the risk of those jewels being stolen.

Of course, the obvious solution is what the Corporations’ belly will never allow: bring ALL support in-house to vastly improve integrity and protection of said jewels.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...