Telecom giant T-Mobile has experienced what it describes as an "unauthorised access to certain information," resulting in the potential exposure of customers' personal information.
In an online disclosure, the company, along with its Metro PCS unit, said its cybersecurity team "discovered and shut down" the anomalous incident on 20 August. Impacted personal data may have included names, zip codes, phone numbers, email addresses, account numbers and account types (prepaid vs. postpaid). Financial information, social security numbers and passwords were not affected.
"We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorised access," T-Mobile said in its statement.
Motherboard has reported that a company spokesperson confirmed that the breach impacts "about" or "slightly less than" three percent of its 77 million customers -- or about roughly 2 million people.
Amit Sethi, security consultant at Synopsys, said that even though the unauthorised party didn't access the most sensitive data, the information that was exposed can nevertheless "potentially be used in targeted attacks where attackers can impersonate customers to T-Mobile's customer service representatives."
"Attackers may also be able to impersonate the customers [while communicating with] other wireless carriers and attempt to port the numbers in order to hijack the phone numbers. People who are impacted should ensure that they have set up a PIN with T-Mobile that they use to authenticate to customer service representatives, and that is required to port their phone numbers to another carrier."
While the data breach is certainly unwelcome news, "This security incident favorably stands out among many others [due to] prompt detection and transparent disclosure," said High-Tech Bridge CEO Ilia Kolochenko, in emailed comments. "Many of the recent data breaches, including the most disastrous ones, were... announced months after the occurrence. T-Mobile serves as a laudable example of prompt incident response. This, however, does not absolve them from accountability for the breach and further cyber-security enhancement to prevent similar incidents in the future."
A subsidiary of Germany-based Deutsche Telekom AG, T-Mobile previously contended with a major data breach in 2015, when its credit vendor Experian was hacked, compromising the personal information of about 15 million customers and applicants. In 2017, a researcher found a bug in T-Mobile's wsg.t-mobile.com API, which could have allowed attackers to access customer data, although the company said only a few hundred customers were affected. And in 2018, another researcher discovered a glitch in T-Mobile's website resulting from an unprotected API, potentially allowing anyone to look up customer details including full names, postal addresses, billing account numbers, and other information.