2020 was pretty much a disaster and it ended like one as well, at least for the cybersecurity community, governments, and some companies. Even just a day before it ended, another major US name was added to that list, though this time with far less nefarious consequences as the SolarWinds hacking incident. That said, it still isn’t reassuring that one of the four (now three, really) biggest US mobile operators did get hacked, even if all that may have been accessed were mostly phone numbers.
T-Mobile reassures its customers that personally identifiable information, often called PII, was not part of the data breach. The data accessed didn’t include names, email addresses, payment information, social security numbers, or passwords. Alarms would have definitely sounded louder had that been the case but, fortunately for T-Mobile subscribers, that wasn’t the case, at least according to the carrier.
What happened was threat actors, a.k.a. hackers, were discovered to have had unauthorized access to T-Mobile’s servers, specifically those handling CPNI or Customer Proprietary Network Information. This data fortunately only holds phone numbers, the number of lines a subscriber has on his or her account, and, occasionally, some “call-related information” or call records. That said, hackers can be pretty ingenious even with seemingly innocent and unusable pieces of data.
The carrier further explains that only a very small percentage of its customers were affected by the breach, roughly 0.2% only. As Bleeping Computer computes, however, that means roughly 200,000 people, which isn’t exactly a small number. Then again, it could have affected all of T-Mobile’s 100 million subscribers.
T-Mobile is no stranger to such security breaches, though, especially in the past three years alone. Given the increasing rate of hacking incidents, however, companies that hold critical personal information for millions of people need to also step up their security game quickly.