US mobile operator T-Mobile confirms “unauthorised access” to its systems after customer data appeared for sale on forum
US telecoms company T-Mobile has suffered another data breach, after confirming that “some” customer data had been compromised.
It comes after Vice at the weekend reported that T-Mobile was investigating a forum post claiming to be selling a load of personal data.
The forum post itself doesn’t mention T-Mobile, but the seller reportedly told Vice they had obtained data related to over 100 million people, and that the data came from T-Mobile servers.
What is worse is the data was said to include customer account names, phone numbers, the IMEI numbers of phones on the account, and social security number and driver’s license information – which is the information used by T-Mobile to verify customer identities.
Now in a post on Monday, T-Mobile confirmed that it had suffered a ‘cyber security incident’ and the data of some of its customers had been compromised.
“We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed,” it said, adding that it takes the protection of its customers “very seriously” and was working with digital forensic experts and coordinating with law enforcement.
“We have determined that unauthorised access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved,” it confirmed. “We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed.”
“This investigation will take some time but we are working with the highest degree of urgency,” the operator added. “Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.”
“Once we have a more complete and verified understanding of what occurred, we will proactively communicate with our customers and other stakeholders,” it concluded.
The forum post which touted the T-Mobile data for sale, the seller is reportedly asking for 6 bitcoin (approximately $275,000) for a 30 million subset of customers’ data.
It should be noted that T-Mobile has been hacked on multiple occasions in the past, with some publications reporting that the operator has been hacked as many as five times in recent years.
In 2015 the personal data on 15 million T-Mobile USA customers appeared online for sale.
T-Mobile last year finally completed its $26 billion acquisition of rival Sprint, in a deal that took years to complete.
The merger, which almost took place in 2014, was revealed in April 2018, but faced significant regulatory scrutiny over concerns it would reduce competition, and result in higher prices for consumers.
Deutsche Telekom, which owns T-Mobile, had been negotiating with Japan’s SoftBank, which controlled Sprint, for years.