The T-Mobile Data Breach Is Much Worse Than It Had to Be

The vast majority of victims weren't even T-Mobile customers. Now their information is for sale on the dark web.

In an email overnight, T-Mobile shared details about the data breach it confirmed Monday afternoon. They’re not great. Assorted data from more than 48 million people was compromised, and while that’s less than the 100 million that the hacker had initially advertised, the vast majority of those affected turn out not to be current T-Mobile customers at all.

Instead, T-Mobile says that of the people whose data was compromised, more than 40 million are former or prospective customers who had applied for credit with the carrier. Another 7.8 million are current “postpaid” customers, which just means T-Mobile customers who get billed at the end of each month. Those roughly 48 million users had their full names, dates of birth, social security numbers, and driver’s license information stolen. An additional 850,000 prepaid customersâ€"who fund their accounts in advanceâ€"had their names, phone numbers, and PINs exposed. The investigation is ongoing, which means that the tally may not stop there.

There’s no good news here, but the slightly less bad news is that the vast majority of customers appear not to have had their phone numbers, account numbers, PINs, passwords, or financial information taken in the breach. The bigger question, though, is whether T-Mobile really needed to hold onto such sensitive information from 40 million people with whom it doesn’t currently do businesses. Or if the company was going to stockpile that data, why it didn’t take better precautions to protect it.

“Generally speaking, it’s still the Wild West in the United States when it comes to the types of information companies can keep about us,” says Amy Keller, a partner at the law firm DiCello Levitt Gutzler who led the class action lawsuit against Equifax after the credit bureau’s 2017 breach. “I’m surprised and I’m also not surprised. I guess you could say I’m frustrated.”

Privacy advocates have long promoted the concept of data minimization, a fairly self-explanatory practice that encourages companies to hold onto as little information as necessary. Europe’s General Data Protection Regulation codifies the practice, requiring that personal data be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” The US currently has no equivalent on the books. “Privacy laws in the United States that do touch upon data minimization generally don’t require it,” Keller says, “and instead recommend it as a best practice.”

Until and unless the US adopts an omnibus privacy law similar to GDPRâ€"or state-level legislation like the California Consumer Privacy Act starts taking a harder lineâ€"data minimization will remain a foreign concept. “In general, collecting and retaining sensitive data of prospective and former customers is not an act of consumer fraud under US law, and is routine,” says David Opderbeck, codirector of Seton Hall University’s Institute of Law, Science & Technology. As inappropriate as it may seem for T-Mobile to keep detailed records on millions of people who may never have been their customers, there’s nothing stopping it from doing so, for as long as it likes.

Now those former and prospective customers, along with millions of current T-Mobile subscribers, find themselves victims of a data breach they had no control over. “The first risk is identity theft,” says John LaCour, founder and CTO of digital risk protection company PhishLabs. “The information includes names, social security numbers, driver’s license IDs: all the information that would be required to apply for credit as someone.”

“It’s still the Wild West in the United States when it comes to the types of information companies can keep about us.”

Amy Keller, Lawyer

The hack would also potentially make it easier to pull off so-called SIM swap attacks, LaCour says, particularly against the prepaid customers who had their PINs and phone numbers exposed. In a SIM swap, a hacker ports your number to their own device, typically so that they can intercept SMS-based two-factor authentication codes, making it easier to break into your online accounts. T-Mobile did not respond to an inquiry from WIRED as to whether International Mobile Equipment Identity numbers were also implicated in the breach; each mobile device has a unique IMEI that would also be of value to SIM-swappers.

T-Mobile has implemented a few precautions on behalf of victims; it’s offering two years of identity protection services from McAfee’s ID Theft Protection Service, and has already reset the PINs of the 850,000 prepaid customers who had theirs exposed. It’s recommending but not mandating that all current postpaid customers change their PINs as well, and offering a service called Account Takeover Protection to help stymie SIM-swap attacks. It also plans to publish a site for “one stop information” Wednesday, although the company didn't say if it would offer any kind of lookup to see if you’re affected by the breach.

Instead, T-Mobile says it will rely on proactive outreach to victims. The carrier didn’t respond to an inquiry from WIRED as to what if any specific plans it had for that communication, and what specific information they’ll be sharing with people whose data was compromised. Even sharing something as simple as a timetable would help, LaCour says, so that people could know they’re in the clear if they haven’t been a T-Mobile customer for a certain number of years.

In the meantime, if you’re a current T-Mobile customer you should go ahead and change your PIN and password; you can do so from your T-Mobile account online. You should take the free two years of ID monitoring, although it’s not yet clear how that will work in practice. You should start using app-based two-factor authentication wherever possible, rather than receiving those codes by text. For a more extreme but still prudent precaution, you can contact the three major credit bureaus and request a freeze on your credit report, which would stop anyone from accessing it or opening new accounts in your name.

Because the US lacks a comprehensive cybersecurity law, agencies like Federal Communications Commission and Federal Trade Commission have limited ways to apply pressure, says Seton Hall’s Opderbeck. If T-Mobile does face repercussions for the breachâ€"its sixth in four yearsâ€"it would likely come from a class action lawsuit. Opderbeck says that his research has shown more than 30 data breach settlements in the last few years that resulted in a small cash payout and free credit monitoring as restitution. And Keller notes that even the class action route may be difficult to travel, because of a clause in T-Mobile contracts that can force customers into arbitration.

It’s not realistic to expect every company to stop every breach, especially when those companies posses data highly valuable to hackers. But it is reasonable to hope that a business in that position would take every care to limit the impact of those compromises. Keeping detailed records of more than 40 million former or prospective customersâ€"including their social security numbers and driver’s license informationâ€"seems needlessly reckless. After all, you can’t steal what isn’t there in the first place.

More Great WIRED Stories

ðŸ"© The latest on tech, science, and more: Get our newsletters!

A people's history of Black Twitter

Why even the fastest human can't outrun your house cat

Phantom warships are courting chaos in conflict zones

This new way to train AI could curb online harassment

How to build a solar-powered oven

ðŸ'ï¸ Explore AI like never before with our new database

🎮 WIRED Games: Get the latest tips, reviews, and more

🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Share this post