Over the last week we saw 70 million AT&T customers and 53 million T-Mobile customers have their personal data leaked to hackers. While we didn’t find any connections between these two breaches the timing of the incidents is strange.
AT&T has so far denied the breach involving their customers. While we don’t have confirmation from the hackers who breached AT&T, the user who posted the data for sale, ShinnyHunter, has a reputation of providing real breaches. We also find it all too common for companies to deny the breach before finally confirming it when the breach leaks to the public. The AT&T breach contains the following information: Date of birth, names, addresses, email addresses, and Social Security numbers. The breach may contain other private information, but we haven’t confirmed it.
T-Mobile on the other hand confirmed the breach as its fifth breach since 2017, not including the 2015 Experian breach that also lost T-Mobile customer data. The breach likely occurred because of a misconfigured T-Mobile gateway server called a GPRS support node.
The person who claims to have compromised T-Mobile says the company misconfigured a gateway GPRS support node that was apparently used for testing. It was exposed to the internet. That allowed the person to eventually pivot to the LAN. Proof screenshot supplied. pic.twitter.com/tBMvRBmG0r
— Jeremy Kirk (@Jeremy_Kirk) August 16, 2021
T-Mobile confirmed the breach contains names, drivers licenses, government identification numbers, Social Security numbers, dates of birth, PINs, addresses and phone numbers. While we don’t like to place blame on a company that experiences a breach, I don’t think I would trust T-Mobile to keep my private information safe right now.
If you are a T-Mobile or AT&T customer, there unfortunately isn’t a lot you can do once your data has already been stolen. At a minimum though, you should make use of the provided identity theft protection tools and keep track of your credit history but ideally, you shouldn’t give your Social Security number to a phone company even though some require it for service. Also, if you haven’t already, change your PIN and if you use the same PIN for other services like banking change it there as well.