T-Mobile says that 48 million subscribers were victimized in data breach, offers free ID protection

Just a few days ago, we told you that some T-Mobile customers were victimized by a data breach that collected personal information belonging to the carrier's subscribers. This morning, The Wall Street Journal said the information stolen from 47.8 million current and prospective customers included first and last names, birth dates, information from driver's licenses, and Social Security numbers.

T-Mobile said that 7.8 million of the accounts involved in the attack belong to current postpaid customers. The remaining 40 million people victimized are accounts belonging to former customers and potential customers who applied for credit and might not have actually done any business with the wireless provider. 850,000 active pre-paid T-Mobile customers had their names, phone numbers, and account PINs left open and T-Mobile says that it will "proactively reset all of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away."

No Metro by T-Mobile customers, former Sprint prepaid subscribers, and Boost Mobile users had their names or PIN numbers exposed. 

In a statement, the nation's second-largest carrier said, "While our investigation is still underway and we continue to learn additional details, we have now been able to confirm that the data stolen from our systems did include some personal information.

We have no indication that the data contained in the stolen files included any customer financial information, credit card information, debit, or other payment information.

Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.

Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers."

As we already mentioned, T-Mobile already reset PIN numbers for prepaid subscribers. It recommends that postpaid subscribers change their PIN numbers. T-Mobile says that it found an access point that was used by the attackers to break into the company's servers and patched it. The company called the data breach "a highly sophisticated cyberattack," and a person who claims to know the identity of the attacker explained how it went down.

The attacker supposedly relied on lax security to break into T-Mobile's backup servers which contain unencrypted data dating back to the mid-1990s. A sample of the data stolen included important data such as names, addresses, and serial numbers that can help to identify the specific handset unit that a customer uses, and the subscriber identity module, or SIM. With the latter information, an attacker could steal a victim's phone number or create other fraudulent scenarios.

Gizmodo states that this morning, T-Mobile said that it will offer two years of free identity protection to McAfee’s ID Theft Protection Service and will encourage customers to sign up for T-Mobile’s Account Takeover Protection service. The carrier added that "We take our customers’ protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack.

While our investigation is ongoing, we wanted to share these initial findings even as we may learn additional facts through our investigation that cause the details above to change or evolve."