Content, Americas, Content, Breach, Malware

T-Mobile Cyberattack Spurs Law Firm Investigation

Search Hacked warning on laptop Concept of privacy data being hacked and breached from internet technology threat. 3d renderring.

In the wake of a recent cyberattack against U.S. mobile carrier T-Mobile that potentially impacted 37 million customers, attorneys at Seattle-based law firm Hagens Berman have launched an investigation, according to a prepared statement.

Compromised data may include billing addresses, phone numbers, email addresses, dates of birth, T-Mobile account numbers and other account information, such as the number of lines on the account and plan features, Hagens Berman stated.

This is not the first time T-Mobile customers have had their personal information exposed to identity thieves and dark web actors, and the company has disclosed eight data breaches since 2018., the law firm said.

Issuing a statement on the matter, Thomas E. Loeser, the Hagens Berman attorney leading the investigation, said:

“T-Mobile just seems unwilling to adequately protect its customers’ data. Our research may reveal that additional sensitive information has been compromised, and the company has yet to individually notify affected customers of the data breach, as it is required to under many state laws. Identity theft can turn your life upside down, and consumers deserve the information they need to protect themselves.”

Loeser is a former federal cyber-prosecutor and was a member of the Cyber and Intellectual Property Crimes Section at the U.S. Attorney’s Office in Los Angeles.

T-Mobile Downplays Incident

T-Mobile contends that no passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised. Some basic customer information was obtained, nearly all of which is the type widely available in marketing databases or directories, T-Mobile said.

Last week, T-Mobile issued a statement on the matter:

“We are currently in the process of informing impacted customers that after a thorough investigation we have determined that a bad actor used a single Application Programming Interface (or API) to obtain limited types of information on their accounts. As soon as our teams identified the issue, we shut it down within 24 hours. Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances should not be put at risk directly by this event. There is also no evidence that the bad actor breached or compromised T-Mobile’s network or systems.”

What Actions to Take?

Hagens Berman’s attorneys suggest that anyone who believes they may have been affected monitor their financial accounts for any suspicious activity. T-Mobile has stated that it will be offering two years of free identity protection services, which may provide limited protection and notification of identity theft, according to the law firm.

Experts are recommending that consumers change their T-Mobile account password and PIN and freeze their credit with all three credit reporting agencies, according Hagens Berman.

“If you elect to use any pay service to protect yourself from identity theft because of the T-Mobile data breach, be sure to save receipts showing your payments,” the law firm stated. “You may be eligible for reimbursement through future legal actions.”

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.