Hackers used one of T-Mobile’s own APIs to gain access to its systems
The U.S. mobile carrier first discovered that hackers had entered its systems on January 5 of this year. In a press release (opens in new tab), T-Mobile explained that access to its systems was shut down within 24 hours but during that time, the hackers behind the attack managed to obtain a great deal of its customers’ personal data.
However, as reported by The Wall Street Journal (opens in new tab), the company believes that the hackers may have had access to its systems since November 25 of last year. Besides conducting its own internal investigation, T-Mobile also worked with law enforcement agencies and cybersecurity consultants to discover how they were able to access its systems.
As it turns out, “a bad actor used a single Application Programming Interface (or API) to obtain limited types of information” from customer accounts. Fortunately, T-Mobile’s systems and policies “prevented the most sensitive types of customer information from being accessed” but a concerning amount of customer data has been exposed as the result of the breach.
Customer info exposed (but not financial data)
According to T-Mobile, the hackers responsible for the company’s second major data breach may have accessed customer names, billing addresses, emails, phone numbers, birth dates and account numbers though the number of lines on their accounts and plan features could also have been accessed.
No passwords, payment information, Social Security numbers, government ID numbers or other financial account information was exposed as a result of the data breach.
Although T-Mobile tried to downplay the breach in its statement on the matter by saying the customer information obtained is “widely available in marketing databases or directories”, it’s still a big deal and the company could face scrutiny and possibly even fines from regulators. With all this information in the hands of hackers, T-Mobile customers are more likely to fall victim to phishing attacks or even identity theft.
T-Mobile has committed to making “substantial, multi-year investments” to strengthen its cybersecurity program but it hasn’t gone as far as to offer the best identity theft protection services free of charge to affected customers, yet. However, this could change, especially if there’s a lot of backlash regarding the breach.
How to stay safe after a company you do business with suffers a data breach
Although you can install the best antivirus software on your computer to protect you from malware and other cyber attacks, there really isn’t much you can do when a company you do business with falls victim to a data breach. As login information wasn’t exposed, changing your password won’t do much good but it might be worthwhile if you aren’t using a strong, complex and unique password to secure your T-Mobile account.
If you’re extra cautious though, you may still want to consider investing in identity theft protection as many of the companies that offer these services include Dark Web scans that can look to see if your personal information is already in the hands of hackers. See our roundup of the best identity theft protection services based on our testing.
In this case, we’ll just have to wait and see as to how T-Mobile responds. For instance, thousands of PayPal customers recently fell victim to a credential stuffing attack and the company provided them with free identity monitoring for two years even though it wasn’t at fault.