Current, prospective and former customers have had their information compromised, including some social security numbers.
T-Mobile has confirmed that millions of customers’ personal data was compromised in a cyberattack.
Over the weekend, hackers claimed to have stolen detailed, sensitive information on 100m of the telco’s customers. The company went on to confirm on Monday (16 August) that a breach had occurred but had not determined if any personal data had been stolen.
T-Mobile has now said that data relating to approximately 7.8m current bill-pay customers and more than 40m prospective or former customers appears to have been compromised.
“Some of the data accessed did include customers’ first and last names, date of birth, social security number, and driver’s license/ID information for a subset of current and former post-pay customers and prospective T-Mobile customers,” it said.
The company added that 850,000 active T-Mobile prepay customers’ names, phone numbers and account PINs were also exposed, but said it reset these PINs and would be notifying affected customers.
The telco said there was “no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information”.
T-Mobile was informed of the breach “late last week”, it said, and “located and immediately closed the access point” it believes was used to gain entry.
In response to the breach, the company is offering two years of McAfee ID Theft Protection Service to all customers who may have been affected. It is also advising customers to take a number of steps to protect their accounts with the company.
It added that a “forensic” investigation is “ongoing” and that it is coordinating with law enforcement. Due to the ongoing nature of the enquiry, T-Mobile also said that details could “change or evolve”, but it “wanted to share these initial findings” at this point.
The data breach is not the only bad news for T-Mobile this week. On Friday, the California Public Utilities Commission ruled that the company had misled and lied to regulators during the process of its merger with Sprint. The telco now has the opportunity to justify to authorities why it shouldn’t be fined for this infraction.