T-Mobile announced a massive data breach affecting users of its prepaid wireless accounts. Beyond account information, it exposed the phone number and address of its users. T-Mobile is downplaying this breach but there may be serious cause for concern since a mobile phone is a essentially a credit card with an antenna.
T-Mobile: Move Along Folks. Nothing to See Here
Remember when news of a data breach was accompanied by an interesting story of a lost briefcase left on a train or some files that didn’t make it to the shredder containing the records of a few hundred or perhaps a thousand consumers? It seems downright quaint now, doesn’t it? Today, T-Mobile announced what appears to be a very large breach indeed, affecting over 1 million of its prepaid phone customers but to hear T-Mobile describe it, this is no big deal.
But this is a big deal because the mobile phone is the portable memory of most consumers. It is not only the best way to contact you, but increasingly it contains your entire life. Your contacts, your calendar, your email, your test messages, your apps and more. In recent years, device manufactures have made physical device security a priority. First with fingerprint and then with facial recognition, but what if your mobile account itself is compromised. Can a malicious user gain access to your cloud storage of data or photos or take over the account itself? It’s not a theoretical risk when they have account control.
T-Mobile Downplays Risk
T-Mobile wrote announced the data breach by saying:
“Our Cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account. We promptly reported this to authorities. None of your financial data (including credit card information) or social security numbers was involved, and no passwords were compromised.
The data accessed was information associated with your prepaid service account, including name and billing address (if you provided one when you established your account), phone number, account number, rate plan and features, such as whether you added an international calling feature.”
T-Mobile’s announcement makes it sound like the absence of payment or SSN information means this breach was not too serious, but the exposure of detailed account information makes it quite likely that someone could impersonate you to take over your account. Once in control, users could make toll-calls using your mobile phone to generate hundreds or thousands of dollars for themselves, lock you out of your account or simply make sure that they are contacted whenever a third party attempts to verify a transaction by contacting you via phone. The possibilities for fraud are limitless when someone can impersonate you at will.
Unencrypted Credentials Expose Users Across the Internet
For the users, the exposure of this data file is much worse than it might seem at first. Even in a best-case scenario where sensitive personal information like SSN, DoB or payment card information is not included, the inclusion of unencrypted passwords and emails expose the users to tremendous risk. The “hackers” (not really, since they simply downloaded the file!) have login credentials for the Wizards website allowing them to access not only the accounts of these users but also any other website where these users share the same credentials.
If a user’s email address uses these same credentials, the damage could be incredibly widespread. The shared credentials could be used to take over the user’s email account, see which websites they get mail from and access other accounts using these shared credentials. If they wanted to, the user could change the passwords on these accounts, effectively locking the user out of their email or these other accounts and possibly make purchases on accounts where the user’s payment card information is stored. Truly, the potential for damage is only limited by the creativity of the hackers.
Currently T-Mobile says this breach affected approximately 1.5% of its 75 million customers which is just over 1 million individuals. However, because the company did not explain how the breach occurred, its quite possible that this is the tip of the iceberg. T-Mobile may uncover additional databases or other damage that extend the reach of this breach beyond the prepaid customers already identified.
Those that were affected should have received this notification from T-Mobile but if you have been or currently are a customer, you might want to check with T-Mobile and update your contact information and request that a password be placed on your account. Finally, if you haven’t done so already, register for MyProfyle’s Free for Life Identity Protection™, the only free identity monitoring service. Or consider trying our upgraded services that include identity restoration and other benefits.