T-Mobile USA Had A Data Breach In November, Submitted A Breach Notification One Month Later

January 2, 2014 - Written By Jeremiah Nelson

T-Mobile made some great moves last year and really shook up the wireless industry. Branding itself the “Un-carrier,” T-Mobile unveiled the JUMP! upgrade plan in July and new global data plans in October. Verizon, AT&T, and Sprint struggled to play catch up, each unveiling their own competing plans. For all the good publicity that T-Mobile garnered in 2013, all was not sunshine and rainbows.

It appears that the company has had a data breach, although we don’t know the extent of the damage yet. In a post on December 30th, uncovered a letter submitted to the state of California by T-Mobile USA. In the letter, T-Mobile admits to the breach but doesn’t give much detail. It appears that a file stored on a server in a supplier’s data center was accessed without authorization. The file contained sensitive customer data like names, addresses, Social Security numbers and Driver’s License numbers. The attackers were looking for credit card numbers, which they were not able to access. Unfortunately, the data breach happened in November and we’re just now finding out about it. The total number of customers affected was not disclosed. Here’s an excerpt from the letter:

“We are writing to inform you of a recent incident of unauthorized access to a file stored on servers owned and managed by a T-Mobile supplier. This file contained personal information, including name, address, Social Security number and/or Driver’s License number. In your case, the party or parties making the unauthorized access may have viewed your <insert data type¬†>. This access was discovered in late November 2013.¬†Although we believe the primary goal of the access was to obtain credit card numbers (which were not included in the file), the information that was accessible could also potentially be misused. Our supplier has taken immediate measures to secure the impacted servers.”

T-Mobile is attempting to correct the situation by offering affected subscribers up to 12 months of credit monitoring from Experian. The service being offered is Experian’s ProtectMyID Elite program, which will monitor subscriber’s credit report for unauthorized access and notify them if any changes are detected. Given that this story sat mostly unnoticed for several days suggests that the breach was minimal. T-Mobile USA should have moved a little more quickly in notifying subscribers, though.

2013 will be remembered as the year we all discovered that our personal data is not safe. The NSA is spying on U.S. citizens with the help of some major tech companies. Twitter, Snapchat, The New York Times, Facebook, Evernote, Living Social, and Target are just some of the companies and services that were unable to protect their users’ data last year.