T-Mobile revealed attackers accessed its Customer proprietary network information (CPNI), putting the private data of hundreds of thousands of customers at risk.
The year 2020 was devastating for the entire world, but it was twice as problematic for renowned mobile telecom company T-Mobile. Reportedly, the company suffered two massive data breaches within one year. The company has started notifying affected subscribers about the recent attack.
Relatively Narrow Attack Scope
As per T-Mobile, unauthorized attackers accessed the account information of its subscribers. T-Mobile claims that the breach affected less than 0.2% of its over 100 million subscribers, a small fraction of its customer base. However, it still accounts for roughly 200,000 affected subscribers, which is definitely a massive figure. Potentially thousands of T-Mobile users are affected by this breach and may be exposed to social engineering or phishing attacks.
T-Mobile Targeted a Second Time in 2020
It is rather shocking that T-Mobile got attacked twice within a year because it highlights the lackluster security practice the company may have adopted. In March 2020, T-Mobile admitted that phone numbers, name, billing addresses, account numbers, rate plan, and other features, such as whether a customer has added an international calling feature, were exposed. However, social security numbers, passwords, and banking data weren’t accessed. According to the company’s data breach notification, the information related to T-Mobile’s prepaid wireless account was compromised.
“Our Cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account. We promptly reported this to the authorities. None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised.”
T-Mobile Customer Account Information Exposed
Compared to the previous data breach at T-Mobile and other carriers that have been attacked in 2020, the scope of this attack is relatively narrow. According to T-Mobile, the attack was restricted to Customer Proprietary Network Information, which includes subscribers.’
- Phone numbers
- Number of lines linked with an account
- Call records such as call timing, duration, and phone number.
T-Mobile explained that the breached data doesn’t include:
- Financial information
- Account username
- Email IDs
- Physical addresses
- Social security numbers
- Credit card data
- Login credentials including PINs and passwords, and tax ID.
The company’s data breach notification read:
“Customer proprietary network information (CPNI) as defined by the Federal Communications Commission (FCC) rules was accessed. The CPNI accessed may have included the phone number, number of lines subscribed to on your account and, in some cases, call-related information collected as part of the normal operation of your wireless service.”
Investigation Still Underway:
The company reached out to cybersecurity forensics experts to identify the nature and extent of damage and the kind of data breached in the attack. In a security notice T-Mobile shared with its customers, the carrier stated that:
“We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers.”