US telecoms agency to probe T-Mobile data breach that affected more than 47m people

T-Mobile US said that dates of birth, first and last names were also stolen.
T-Mobile US said that dates of birth, first and last names were also stolen.PHOTO: AFP

WASHINGTON (REUTERS, NYTIMES) - The United States Federal Communications Commission (FCC) said late Wednesday (Aug 18) it will investigate a data breach disclosed by T-Mobile US impacting more than 47 million current, former and prospective customers.

The third-largest US wireless carrier said personal data, including social security numbers and driver's license information, of more than 40 million former and prospective customers was stolen along with data from 7.8 million existing T-Mobile wireless customers.

Dates of birth, first and last names were also stolen, the telecom services provider said, adding there was no indication their financial details had been compromised.

"Telecommunications companies have a duty to protect their customers' information. The FCC is aware of reports of a data breach affecting T-Mobile customers and we are investigating," an FCC spokesman told Reuters.

The company, which had 104.8 million customers as of June, acknowledged the data breach on Sunday after US-based digital media outlet Vice reported that a seller had posted on an underground forum offering private data, including social security numbers from a breach at T-Mobile servers.

T-Mobile also said approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed.

In 2015, AT&T Inc agreed to pay a US$25 million (S$34 million) fine to resolve an FCC investigation into consumer privacy violations at AT&T's call centres.

Vice said the seller claimed that 100 million people had their data compromised in the breach. The seller was offering data on 30 million people for 6 bitcoin, or around US$270,000.

Reports later suggested that the asking price had slumped and the entire data was being sold for just US$200.

Reuters has not been able to check the veracity of the forum's post.

T-Mobile, like other major corporations, has struggled to stave off hackers and prevent data breaches. In 2018, T-Mobile suffered a security breach that compromised personal information of as many as 2 million customers, including phone numbers, e-mail addresses and account numbers. In 2019, the company's e-mail vendor was hacked, revealing some customer and employee personal information.

In response to the breach, the company said it would offer two years of free identity protection services. T-Mobile did not immediately respond to questions about updates to its security systems.

The breach was just one of many cracks in cyber security across multiple industries exposed in recent years. Experts repeated concerns on Wednesday that, more and more, companies and institutions do not have the necessary security protocols in place to protect sensitive information.

Recent cyber attacks around the world have taken down operations at gasoline pipelines, hospitals and grocery chains, and have potentially compromised some intelligence agencies. Large financial companies face hundreds of thousands of cyber attacks every day, and sometimes fail to stop them.

"The security programs most companies have are just struggling to keep up," Mr Daniel Miessler, an information security expert and tech writer in San Francisco, said in an interview. He added that, given the complexity of running a major telecom business and the difficulty in keeping data secure, he was surprised the public did not see more major breaches more often.

Ms Yuan Stevens, a researcher at Ryerson University in Toronto who has studied the 2018 T-Mobile breach, said that the company's system of handling security complaints put the onus on consumers to keep their information safe.

"I do not think it's on the individual to protect their data," Ms Stevens said. "We should not have to opt out of using services in order to protect ourselves. Instead, institutions should be responsible for protecting consumer data."

Companies that collect information that can be sold on black markets, like consumer data, will always be susceptible to hacks, said Ms Cherise Esparza, a co-founder of Security Gate, a cyber-security firm. But most companies tend to address blind spots retroactively, or scramble to defend themselves only after a competitor suffers a hack.

"People are starting to see their peers getting hacked, and they don't want to be in the news," Ms Esparza said. But she added that, for many companies, data security drifted as a priority.