Earlier this week, hackers managed to gain access to data held on T-Mobile’s servers through a vulnerable API, making off with personal data of some US customers which could potentially be exploited by scammers.
In a customer advisory published late yesterday by T-Mobile, the company reassured customers that passwords, financial information, and social security numbers had not been exposed:
On August 20, our cyber-security team discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities. None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised. However, you should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).
Of course, the lack of stolen passwords, credit card details, and social security numbers does not mean that you might not be targeted by online criminals.
As we’ve seen before (remember the TalkTalk breach in the UK?) fraudsters are more than willing to phone up customers of a telecoms provider, present themselves as the company (perhaps quoting the customer’s account and account details to appear more genuine), and then trick unsuspecting consumers into handing over further sensitive information that could facilitate identity theft.
If you are a T-Mobile user, you would also be wise to think twice before acting upon any emails you receive purporting to come from the company. After all, it could be someone pretending to be contacting you from the firm.
In its advisory, T-Mobile doesn’t say how many customers have been impacted by the latest breach. However, a spokesperson told Lorenzo Franceschi-Bicchierai of Motherboard that the breach affected “about” or “slightly less than” three percent of its 77 million customers.
3% of 77 milion is 2.31 million T-Mobile customers. So “about” or “slightly” less than that.
T-Mobile has apologised for the incident, and wants customers to know that it takes security very seriously:
We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access. We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you.