100m T-Mobile accounts reportedly hacked, including social security numbers

The personal data of more than 100 million T-Mobile users is for sale online and the company says it is investigating the claim. Joseph Cox at Vice first reported on the forum post touting the cache, which offers names, addresses, social security numbers and phone numbers.

"T-Mobile USA. Full customer info," the seller told Motherboard in an online chat. The seller said they compromised multiple servers related to T-Mobile. On the underground forum the seller is asking for 6 bitcoin, around $270,000, for a subset of the data containing 30 million social security numbers and driver licenses. The seller said they are privately selling the rest of the data at the moment.

"I think they already found out because we lost access to the backdoored servers," the seller said, referring to T-Mobile's potential response to the breach.

At Hacker News, Princeton University Assistant Professor of Computer Science and Public Affairs Jonathan Mayer commented that T-Mobile had "recurring data security deficiencies" during his time as CTO of the FCC's Enforcement Bureau.

In 2017, the FCC determined that T-Mobile had violated federal law in a data breach involving customer credit information. There was reportedly no fine because Congress has imposed a strict one-year statute of limitations on FCC enforcement actions.

In 2020, the FCC charged T-Mobile with again violating federal law in failing to protect customer location information. The FCC proposed a $91.6M fine, widely criticized as insufficient at the time. I don't believe the FCC has finalized or collected that penalty.

There have been several other incidents, including in 2018, 2019, early 2020, and late 2020.

I hope there has not been a new data breach. But if there has been, this is the latest in a pattern, and the incentives have to change.

Another commenter there summarizes the problem with T-Mobile more succinctly:

I left TMo in 2018 when their 'forgot password' link sent me my actual password, via email.