In a recent Attorney General filing, T-Mobile reported it was the victim of another data breach.
On April 28, T-Mobile announced the second data breach the company has experienced in 2023. While the previous cybersecurity incident in January exposed personal data of 37 million customers, this most recent incident affected 836.
In Maine, companies that have experienced a computerized data security breach are required to report the breach to the Attorney General.
“In March 2023, the measures we have in place to alert us to unauthorized activity worked as designed and we were able to determine that a bad actor gained access to limited information from a small number of T-Mobile accounts between late February and March 2023,” the company said in a notification to customers.
No personal financial information or call records were affected by the breach, however the information obtained “may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes) and the number of lines.”
“It is disappointing to see yet another T-Mobile data breach — regardless of the number of customers impacted, the impact to an individual should not be underestimated — even with credit monitoring being offered,” said Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems.
Mandy continued that it is also disappointing that details provided by T-Mobile on how the breach occurred and what data was actually impacted is still vague.
“We expect to see organizations like T-Mobile provide more detailed analysis on the technical cause of the data breach — by providing a more detailed analysis, it would help the entire industry to take proactive steps to avoid similar issues,” Mandy said.
Bud Broomhead, CEO at Viakoo, said what he found most concerning is the time between the breach being detected (March 27) and when customers were notified (April 28).
“Any delays in customer notification increases the risk and severity of individuals being exploited,” Broomhead said. “While there are state-level data breach disclosure laws in place, this timing barely meets most of them at 30 days and clearly does not meet the 10-day requirement in states like New York and Massachusetts.”
Broomhead gives credit to T-Mobile, and other telecommunications companies that have been affected by cyber attacks, for being proactive in highlighting threats and deploying solutions for emerging cyber-attack vectors such as IoT and endpoint security.
“In addition, despite large breaches of personal data by all carriers over time these incidents do not appear to have led to more SIM jacking or identity theft incidents,”Broomhead said.