Hackers have once again found their way into T-Mobile’s systems, the fourth reported company data breach since early 2020. This time, the loot included sensitive personal information associated with approximately 48 million people. , most of whom were former or potential clients of the self-proclaimed “non-carrier”.
Here’s a breakdown of what happened, the risks you might face, and how you can protect yourself from them.
What information has been taken?
According to the company, the stolen data included names, dates of birth, social security numbers and driver’s license information. In most cases, the company said, “No phone numbers, no account numbers, [personal identification numbers], passwords or financial information has been compromised. However, some 850,000 customers with prepaid accounts had their names, phone numbers and account PINs exposed, T-Mobile revealed.
Hackers began offering the data for sale last weekend, according to security researcher Brian Krebs, who predicted everything would soon end up online.
While the potential number of people affected is huge, according to T-Mobile’s tally, it represents less than half of the company’s 105 million current customers. T-Mobile said it will notify customers whose data has been exposed and provide two years of identity theft protection service from security firm McAfee for free.
What are the risks ?
There have been so many data breaches at so many companies over the years, some security experts say much of the information exposed by T-Mobile is probably already available on the dark web. But that doesn’t mean you should just ignore what happened. Those whose data has been exposed face increased risks of identity theft, phishing scams and other forms of fraud, Krebs warned.
Social security numbers are widely used by the federal government, banks, investment firms, government benefit programs, and insurers to verify identity. Your stolen SSN can be used to open fraudulent credit card accounts, misappropriate or fraudulently collect benefits, and commit workplace fraud, among other forms of deception. Add your name, date of birth, and driver’s license number, and it’s easier for someone to impersonate you.
Identity thieves could use this information to target both you and the banks, insurers, and other businesses you do business with. For example, they could use it to make phishing emails more realistic, helping to persuade you to give out additional sensitive information like a password or PIN. Or they could use it to trick your bank into allowing it to change your account password, thereby giving it access to your money.
For those whose phone numbers have also been exposed, there is at least one other malicious possibility: a SIM swap attack. This is where someone persuades your mobile carrier to port your number to another device, which they then use to attempt to access accounts that you have linked to your phone number. It is more and more common for people to use their cell phone numbers to verify their identity, for example when they log into their bank account online or when they want to reset their password. But that convenience can backfire if your number is hacked and then used to steal your identity online.
How do you protect yourself?
The best thing you can do is freeze your credit reports, which will prevent anyone from opening a new account. It is free to place a gel and lift it for your own needs. But you need to contact each of the three major credit bureaus individually, which you can do online. Krebs also suggests freezing credit records maintained by a handful of smaller specialist agencies. You should also check your credit score regularly, which is a good way to spot fraud once it happens.
Credit and identity checking services, which typically have a monthly fee, can also help uncover the work of identity thieves. They provide tools to prevent you from phishing and other forms of hacking, combined with analytics services that look up your social security number or email address in places online that it doesn’t belong to.
Meanwhile, T-Mobile has put together a website suggesting more steps people can take to guard against fraud. Anyone with a smartphone would be advised to take them:
- Create a PIN code for your mobile phone account to provide an additional layer of security against unauthorized changes to your account, such as malicious SIM swap. If you are a T-Mobile customer and have a PIN code, set a new one.
- Activate T-Mobile’s “takeover protection” feature, which adds an extra layer of protection to the PIN code. Verizon goes one step further, automatically blocking SIM swaps by shutting down both the new and existing device until the account holder looks into the existing device.
- Change the password you use to access your online mobile phone account. Changing passwords periodically is a good practice for all of your accounts. And if you’re having trouble remembering dozens of passwords, try a password manager app that can track them for you.
On the bright side, two-factor authentication is becoming the norm online, which improves security on the web. But too many sites encourage you to make that second factor a text message to your phone number, which encourages SIM swap fraud. If possible, use an authenticator app instead.