T-Mobile Sees Second Data Breach of 2020, Fourth in Three Years

t-mobile data breachOn December 30, 2020, wireless network operator T-Mobile began notifying affected customers of a data security incident – the company’s second data breach in 2020. The telecom giant discovered malicious, unauthorized access to information related to customer accounts.

T-Mobile claims that the breach affected less than 0.2 percent of its 100 million subscribers, approximately 200,000 customers.

The attack reportedly took place in early December. Customer proprietary network information (CPNI) as defined by the Federal Communications Commission (FCC) rules was compromised, including:

  • Services purchased
  • Call records, such as phone numbers called and the timing and duration of those calls
  • Phone numbers
  • Number of lines subscribed to accounts

According to T-Mobile, the most recent cybersecurity incident did not expose financial details, such as credit card information or Social Security numbers. However, compromised data may be combined with previously breached information to coordinate phishing attempts and social engineering attacks. The FCC refers to CPNI as “some of the most sensitive personal information that carriers and providers have about their customers.”

T-Mobile claims to have immediately shut down unauthorized access and reported the matter to law enforcement. The company is not providing free credit monitoring services to affected individuals.

This is T-Mobile’s fourth data breach in just three years. In addition, before merging with T-Mobile, Sprint disclosed two separate data breaches in 2019. Combined previous, recent security incidents include:

  • August 2018 – personal and account data scraped, affecting 2.3 million T-Mobile customers
  • May 2019 – personal information compromised for an unknown number of Sprint subsidiary Boost Mobile customers
  • June 2019 – Hackers gained access to an unknown number of Sprint’s 50 million customer accounts through the Samsung.com “add a line” website
  • November 2019 – hackers accessed account records affecting 1.2 million prepaid T-Mobile customers
  • December 2019 – more than 260,000 billing statements involving T-Mobile and Sprint customers were exposed by a third-party contractor
  • March 2020 – hackers accessed T-Mobile employee and customer data, reportedly including financial information

T-Mobile became the third-largest cell carrier in the United States after its $30 billion merger with Sprint in April 2020. Headquartered in Bellevue, Washington, the company has annual revenues of over $40 billion.