T-Mobile said hackers stole the personal information of 7.8 million current customers, making millions of people vulnerable to identity theft by criminals accessing the data.
The hackers took Social Security numbers, driver’s license and ID information for current, former and prospective customers of the telecom company.
“Our preliminary analysis is that approximately 7.8 million current T-Mobile post-paid customers’ accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile,” the company said in a statement on Wednesday. “Importantly, no phone numbers, account numbers, PINs, passwords or financial information were compromised in any of these files of customers or prospective customers.”
Account PINs for 850,000 pre-paid customers were also exposed in the data breach, the Washington state-based telecommunications giant said.
The company said it learned of the data breach through claims made in an online forum last week and immediately began the investigation.
Previously, someone allegedly looking to sell the stolen data told Vice that the information came from T-Mobile servers and the records related to more than 100 million people. The seller was seeking six bitcoin — cryptocurrency equaling approximately $270,000 — at the time for 30 million Social Security numbers and driver’s licenses, Vice reported.
The hacker’s identity is not fully known. Hackers purportedly responsible for the T-Mobile intrusion have cited a vendetta against the U.S. as a motivating factor in comments to Alon Gal of the cybercrime intelligence firm Hudson Rock.
Cybersecurity writer Brian Krebs has noted on his website that the hack may be linked to an individual hacker who has been on the run for fear of prosecution over a different matter.
T-Mobile said it has closed the access point into its servers that it thinks the hackers used. Given the ongoing threat of identity theft to its customers, T-Mobile said it would offer two years of free identity protection services with McAfee’s ID Theft Protection Service to its customers.
The company also said it planned to create a web page for customers to learn more about how to protect themselves.
This is not the first time that T-Mobile has suffered a data breach affecting millions of its customers. In 2015, T-Mobile said a hacker hitting a vendor that processed its credit applications, Experian, obtained the personal information of approximately 15 million customers. The data lost included Social Security numbers and identification information — similar to the 2021 hack — particularly for applicants needing a credit check between September 2013 and September 2015, according to a statement from then-CEO John Legere.