T-Mobile is investigating another personal data hack, this time involving about 37 million customers.
The wireless giant disclosed in a filing with the Securities and Exchange Commission on Thursday that it had discovered a cyberattack on Jan. 5, 2023 that exposed the personal information of tens of millions of T-Mobile
customers — although it tried to assure that this breach did not include “the most sensitive types” of information that would put customer accounts and finances at risk.
T-Mobile described the hack as “a bad actor used a single Application Programming Interface (or API) to obtain limited types of information” on customer accounts, including names, billing addresses, email addresses, phone numbers, birthdays, account numbers and some information about the types of plans customers are on. The telecommunications company described the leaked data as “basic customer information” along the lines of what is “widely available in marketing databases or directories” already.
“No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised,” the company added in a statement.
That didn’t stop some rattled customers from worrying about whether this breach could still potentially lead to their identities being stolen, however. This is the eighth time T-Mobile has been hacked since 2018. And this latest breach follows a similar leak in 2021, when the personal data of about 54 million of its then current, former and prospective customers was compromised — including names, birthdays, Social Security numbers and driver’s license information.
The breach led “T-Mobile” to trend on Twitter well into Friday. “I honestly don’t understand why T-Mobile is still allowed to operate. This company gets broken into CONSTANTLY,” chimed in one Twitter user.
T-Mobile said it’s still in the process of informing impacted customers about the hack, and users can log into their accounts for more details. The company also said that it plans to continue to make “substantial, multi-year investments” in strengthening its cybersecurity. T-Mobile pledged spending $150 million on security technology in 2022 and 2023, in fact, as part of its proposal to pay $350 million to settle a class-action lawsuit tied to the 2021 hack.
But in the meantime, here’s what you should do if you think that your personal data could have been compromised.
Assume your data is already out there
Even if your data wasn’t among the 35 million exposed accounts, it’s good practice to just assume that your data is already out there, said Ted Rossman, senior industry analyst at Bankrate.com.
That’s because there have been quite a few big data breaches over the last several years, including credit-reporting firm Equifax’s
shocking breach that exposed the data of 143 million Americans in 2017. So assuming that your data has been leaked already is a good idea. In fact, T-Mobile’s note that the leaked information is along the lines of what is already “widely available in marketing databases or directories” demonstrates just how much of our personal information is online now.
Freeze your credit
Next, freeze your credit. This stops lenders from being able to see your credit report, making it impossible to open new accounts in your name.
You can freeze your credit online at no cost through each of the three main credit bureaus — Equifax, Experian and TransUnion.
The good news is that, unlike the previous T-Mobile breach, it doesn’t appear that Social Security numbers were leaked, since they could be used to spin up a fake identity or to steal your identity to open a credit card that they’re not going to pay back, or some other type of loan, Rossman said. But it’s still a good idea to freeze your credit for the time being, and to stay on guard by monitoring your credit reports.
“The big benefit is, if lenders can’t see your report, they’re not going to issue credit [and] it’s going to keep the bad guys out,” Rothman said.
Rossman said it’s good practice to always have a freeze on your credit, which you can temporarily lift when you’re applying for a line of credit. That way, when there’s the next inevitable data breach, your credit is already protected.
“I really think it’s the best defense we have against criminals opening accounts in our names,” Rossman said.
Check your credit report and bank statements
Having good data practices — like regularly changing and varying passwords, not using public Wi-Fi for sensitive business and not giving out personal information — are helpful.
But most of the battle, Rossman said, is doing the big stuff, like checking your credit report and bank statements regularly.
With the T-Mobile hack specifically, it doesn’t seem that payment information, like credit card numbers, were swiped. But it’s still a good idea to look out for suspicious transactions. This is just another reminder, Rossman said, of why using credit cards is more secure than using debit cards. It’s relatively easy to get a fraudulent transaction wiped off your credit statement, he said, but when you’re using debit, that’s real money missing for a time.
But what’s more worrying, and harder to undue, is someone opening a fraudulent account in your name. So when checking your credit report, look closely for accounts that don’t belong to you.
“This is something that we’ve been hearing more about in recent years; sometimes they just directly steal your identity, other times it’s more of synthetic ID fraud where they blend some of your information with some of somebody else’s information,” Rossman said. “I would definitely be on the lookout for accounts that don’t belong to you — that could definitely be a red flag.”
Typically, you can get a free copy of your report from each of the three credit bureaus once every 12 months. But since the COVID-19 pandemic began, you can now access a copy of your credit report for free every week at annualcreditreport.com.
Keep an eye out for any strange or unexpected bills
Something that people might not expect is someone using the hacked information to get health insurance in your name, Rossman said.
“That’s another thing that I don’t think a lot of people think about that is ID theft, but that’s another one where you definitely want to be on the lookout if you get some weird explanation of benefits or a health insurance claim that doesn’t belong to you,” he said.
This one might be a little harder to ward off, because a credit freeze isn’t going to stop it, and there’s not really anywhere you can check to see if someone is doing this.
But if you get a weird bill in the mail, don’t “just throw it out and be like, ‘Oh, that’s weird. That wasn’t me,’” Rossman said. “If you get something like that, you definitely want to escalate it.”
You could also check your health insurance claims through your provider online to make sure there aren’t any that you didn’t file.
Be wary of phishing scams
Rossman warned that fraudsters can take advantage of breaches like this because, now that they’ve gotten ahold of some of your personal information, they can use it to phish for more.
“For example, you might get an email or a text message or a phone call from someone posing as T-Mobile. They might include some legitimate information, such as your address and birth date, to promote trust,” Rossman said. “Then they ask for something they don’t already know, like your Social Security number or credit card number or some other sensitive piece of information which they can take advantage of.”
It these bad actors may not just pose as T-Mobile employees. Such phishing attempts could include someone pretending to be the IRS or the Social Security Administration, or your bank, or shopping sites like Amazon. Do not give out any sensitive information.
“If you think it might be a legitimate request, verify through trusted means,” said Rossman. “For example, if this call or email or text message is supposedly from your bank, call the customer service number on the back of your debit card so that you’re in control. You’ve initiated the communication through a phone number you trust, and you’re sure you’re really speaking with the bank, not just some random person who says they’re with the bank.”
Keep your guard up
Even if you’re not a T-Mobile customer, it’s still important to keep good security habits.
“Whether it’s this breach or another one, it’s just important to keep our guard up,” Rossman said. “Sometimes, there’s a long tail to these things.”
Your data might have been leaked now, but the actual fraud could happen in a few years. Or you might have your identity stolen now because of a hack from years ago. Therefore, it’s smart to regularly monitor your reports, stay alert and put a freeze on your credit.