Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)
T-Mobile Alerts Customers to New BreachCompromised Information Includes Phone Numbers and Call-Related Information
T-Mobile on Tuesday began informing a portion of its customers that some of their mobile phone account information may have been compromised in a data breach that took place in early December.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
A company spokesperson tells Information Security Media Group that about 0.2%, or around 200,000, of its mobile customers were involved in an incident during which phone numbers, number of lines subscribed to and, in a small number of cases, some call-related information collected as part of normal operation and service may have been accessed.
"Our cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account. We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers," the T-Mobile notification says.
T-Mobile did not define the call-related information that was accessed or say how the data breach took place, but says the investigation is continuing. It also noted that other personally identifiable information that it stores was not affected.
"The data accessed did NOT include any names associated with the account, financial data, credit card information, social security numbers, passwords, PINs or physical or email addresses," the spokesman says.
On Tuesday, the company began notifying the affected customers of the situation by text.
T-Mobile also reported data breaches in March, November 2019 and August 2018.
The Information Involved
T-Mobile explains in its notification that its customer proprietary network information, or CPNI, as defined by the Federal Communications Commission rules, was accessed. The FCC requires all telecommunications carriers and interconnected providers of VoIP services to protect this data.
"CPNI includes some of the most sensitive personal information that carriers and providers have about their customers as a result of their business relationship (e.g., phone numbers called; the frequency, duration, and timing of such calls; and any services purchased by the consumer, such as call waiting)," the FCC says.
The FCC requires carriers and providers to file annual reports to certify their compliance with the CPNI rules, and failure to protect the data can lead to fines.
T-Mobile Sprint Merger
T-Mobile and Sprint completed their $26 billion merger on April 1, with the two companies combining under the T-Mobile brand. The deal, which was initiated in 2018, included the replacement of T-Mobile's longtime CEO John Legere with Mike Sievert.
In its financial statement for the third quarter of 2020, which ended Oct. 31, the combined company reported having 100.4 million customers, with revenues of $19.3 billion.