Insights & Analyses

2 million names, phone numbers, account information leaked in T-Mobile data breach – One World Identity

U.S. wireless carrier T-Mobile has revealed that 2 million of its customers, including some with metroPCS, were victims of a data breach that exposed names, billing zip codes, phone numbers, email addresses, and even their account type.

Note: Discuss trust and the data economy with identity experts at the KNOW Conference, at the ARIA Resort in Las Vegas March 24-27, 2019. Sign up now for Early Bird pricing!

No financial information, Social Security numbers or passwords were exposed in the breach, the company said. All affected customers have been notified.

Notably, the breach occurred on Aug. 20, and the carrier announced the incident less than a week later, showing quick transparency. Data breach reporting timelines have been a crucial element of regulations regarding regulation of personally identifiable information — including Europe’s General Data Protection Regulation, which gives organizations just 72 hours to report to the relevant regulator.

Affected customers with questions can contact T-Mobile about the breach by dialing 611 on their mobile phone. The company has also noted that it is wise to change passwords regularly, even though none were believed to have been exposed in the hack.

With 75 million customers, the breach affected less than 5 percent of T-Mobile’s subscriber base.

Citing a spokesperson at the carrier, Threatpost reported that the breach occurred after hackers took advantage of a faulty API on an undisclosed part of its website. The attacks originated from IP addresses outside of the U.S.

OWI Insight: Perhaps one of the most encouraging changes in the wake of Equifax, GDPR and other events in the data economy is quicker turnaround in disclosing breaches. T-Mobile acted quickly to inform customers about the incident, texting those affected in just a few days. Contrast that with Equifax, which became victim to unauthorized access starting in mid-May of 2017, but did not publicly announce the breach until Sept. 7. Transparency with consumers helps to build trust — customers know that bad things will happen, but they deserve to be informed in a timely fashion.