T-Mobile Discloses Data Breach After SIM Swapping Attacks

American telecommunications provider T-Mobile has disclosed a data breach after an unknown number of customers were apparently affected by SIM swap attacks.

SIM swap fraud (or SIM hijacking) allows scammers to take control of targets’ phone numbers after porting them using social engineering or after bribing mobile operator employees to a SIM controlled by the fraudsters.

Subsequently, they receive the victims’ messages and calls which allows for easily bypassing SMS-based multi-factor authentication (MFA), stealing user credentials, as well taking over the victims’ online service accounts.

The criminals can then log into the victims’ bank accounts to steal money, change account passwords, and even locking the victims out of their own accounts.

The FBI shared guidance on how to defend against SIM swapping following an increase in the number of SIM hijacking attacks targeting cryptocurrency adopters and investors.

Also Read: Data Protection Officer Duties And Responsibilities

Undisclosed number of SIM swap attacks

In a data breach notice sent to impacted customers on February 9, 2021, and filed with US attorney generals’ offices, T-Mobile revealed that an unknown attacker gained access to customers’ account information, including personal info and personal identification numbers (PINs).

As the attackers were able to port numbers, it is not clear if they gained access to an employee’s account or did it through the compromised users’ accounts.

A T-Mobile spokesperson was not available for comment when contacted by BleepingComputer earlier today.

“[A]n unknown actor gained access to certain account information. It appears the actor may then have used this information to port your line to a different carrier without your authorization,” T-Mobile said.

“T-Mobile identified this activity—terminated the unauthorized access, and implemented measures to protect against reoccurrence.”

The information accessed by the hackers might have included customers’ full names, addresses, email addresses, account numbers, social security numbers (SSNs), account personal identification numbers (PIN), account security questions and answers, date of birth, plan information, and the number of lines subscribed to their accounts.

“T-Mobile quickly identified and terminated the unauthorized activity; however we do recommend that you change your customer account PIN,” the company also said.

Impacted T-Mobile customers are advised to change their account’s password, PIN, as well as their security questions and answers.

T-Mobile is offering two years of free credit monitoring and identity theft detection services through Transunion’s myTrueIdentity.

Fifth data breach in four years

This is the fifth data breach disclosed by T-Mobile during the last four years, all of them being reported after hackers gained access to customers’ data.

T-Mobile previously suffered from breaches in 2018 when millions of customers’ info was accessed by hackers and in 2019 after exposing prepaid customers’ data.

Last year, the company disclosed two more breaches, one of them in March 2020, when attackers gained access to customer and employee data.

In December 2020, T-Mobile’s suffered another data breach after unknown threat actors again accessed customers’ phone numbers and call records.

---

Update February 27, 02:44 EST: The attackers used an internal T-Mobile application to target up to 400 customers in SIM swap attack attempts, BleepingComputer has learned. No T-Mobile for Business customers were impacted during this incident.

Also Read: 8 Simple Ways To Improve Your Website Protection

BleepingComputer knows of at least one T-Mobile customer impacted by a SIM hijacking attack during the last month.